Dev

Mock OAuth2 Flow Data Generator

Testing OAuth2 implementations demands realistic token payloads that mirror what a real authorization server actually returns. This mock OAuth2 flow data generator creates complete, structurally accurate request and response samples for the most common grant types: authorization code, client credentials, refresh token, and implicit flows. Each generated sample includes properly formatted JWTs, client IDs, redirect URIs, scopes, expiry timestamps, and state parameters — everything your test suite or documentation needs. Developers building OAuth2 clients often waste hours constructing fake payloads by hand, getting field names wrong or missing required properties. This tool eliminates that friction by producing spec-compliant samples in seconds. Select your target grant type, set how many samples you need, and instantly get payloads you can drop straight into Postman collections, mock servers, or unit test fixtures. Beyond testing, these samples serve as concrete teaching aids. Walking a junior developer through the authorization code flow is far more effective with a real-looking token exchange in front of them than with a whiteboard diagram alone. Similarly, API documentation that shows an actual response payload — with plausible token strings and expiry values — reads as far more trustworthy than placeholder text. The generator covers both the token request and token response sides of each flow, so you can test your parsing logic against realistic payloads without ever touching a live authorization server or exposing production credentials.

How to Use

  1. Select your target grant type from the OAuth2 Flow dropdown: authorization code, client credentials, refresh token, or implicit.
  2. Set the Number of Samples to how many distinct payloads you need — use 3 to 5 for documentation, more for seeding large test fixtures.
  3. Click Generate to produce complete, structured request and response payloads for the chosen flow.
  4. Copy individual samples directly into your test file, Postman collection, or mock server stub as needed.

Use Cases

  • Seeding Postman collections with realistic OAuth2 token response fixtures
  • Unit testing JWT parsing logic against plausible access token strings
  • Mocking authorization server responses in integration test suites
  • Populating API reference docs with concrete token exchange examples
  • Demoing OAuth2 login flows in staging environments without live credentials
  • Teaching the authorization code vs client credentials grant difference
  • Testing token refresh logic with correctly structured refresh token payloads
  • Generating sample PKCE flow data for security training exercises

Tips

  • Generate authorization code samples alongside client credentials samples to test that your code handles both user-delegated and machine tokens correctly.
  • Set count to 10 or more when seeding database fixtures — having varied token strings prevents false positives caused by duplicate-detection logic in your tests.
  • Use the refresh token flow samples specifically to test your token expiry and retry middleware: plug the mock expired access token into a request and verify the refresh path fires.
  • Compare the implicit flow output with the authorization code output side by side when teaching — the absence of a refresh token in implicit is immediately obvious and sparks useful discussion.
  • When using generated payloads with WireMock, set expires_in to a high value like 3600 so your client's expiry checks do not trigger unexpectedly during a test run.
  • Regenerate samples for each test run rather than committing a single static fixture — this catches bugs where your parser hardcodes expected token values instead of parsing them dynamically.

FAQ

What are the four OAuth2 grant types and when do I use each?

Authorization Code is used for server-side apps where a user logs in. Client Credentials is for machine-to-machine calls with no user involved. Refresh Token is used to obtain a new access token after the original expires. Implicit was designed for SPAs but is now deprecated in favor of Authorization Code with PKCE.

What is PKCE and why does the authorization code flow need it?

PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks. The client generates a random code verifier, hashes it into a code challenge, and sends the challenge with the initial request. The server verifies the original verifier at token exchange time, ensuring only the legitimate client can redeem the code.

Are these generated tokens safe to commit to a repo?

Yes. Every token, client ID, and secret produced here is randomly generated and has no association with any real authorization server. They are safe to commit to test fixtures, documentation repos, or example code. Never substitute them for real credentials in any production configuration.

What format are the access tokens in?

The generated access tokens follow the JWT (JSON Web Token) structure with a Base64-encoded header, payload, and signature segment. The payload includes standard claims like sub, iat, exp, and scope. The signature is mock data and will not pass real verification — this is intentional for testing purposes.

Can I use these payloads with WireMock or other mock servers?

Yes. Copy a generated token response payload directly into a WireMock stub, Mockoon route, or MSW handler. The field names and structure match RFC 6749 conventions, so most OAuth2 client libraries will parse them without modification. You may need to adjust the expires_in value to prevent immediate expiry logic in your client.

What scopes are included in the generated samples?

Generated samples include realistic common scopes such as openid, profile, email, read, and write, varied per sample. These mirror the kinds of scopes seen in real-world providers like Google, GitHub, or Auth0, making them useful for testing scope validation and display logic in your application.

How do I test my token refresh logic with this generator?

Select the Refresh Token flow from the dropdown and generate a few samples. Each sample includes a structured refresh token request body and a corresponding token response with a new access token. Feed the request payload into your refresh handler and assert that your code correctly stores and uses the new access token from the response.

Why is the implicit grant type considered deprecated?

The implicit flow returns the access token directly in the URL fragment, making it vulnerable to token leakage through browser history, referrer headers, and intermediary scripts. OAuth 2.0 Security Best Current Practice (RFC 9700) recommends using Authorization Code with PKCE for all browser-based apps instead.