PKCE Generator

Generate a verifier, derive the challenge, and keep the bytes exact for OAuth flows

Safety note: PKCE values stay in your browser. Treat the code verifier as a short-lived secret and keep it exactly as generated until the token exchange finishes.

Generate a PKCE verifier and challengeGenerate a browser-local verifier, derive the challenge with S256 or plain, and copy the exact values without touching the bytes

Use Generate verifier for new flows, or paste an existing verifier below and click Update challenge.

Verifier length

RFC 7636 allows 43 to 128 characters. A 64-character verifier is a practical default.

Challenge method

S256 is the common modern default. plain uses the verifier as-is.

Method preview

Code verifier

Code challenge

What PKCE Does

PKCE binds an authorization code flow to a client-generated secret. You send the derived challenge during the authorization request and later send the original verifier when you redeem the code.

Generate and Copy the Pair

Generate a new verifier or paste the exact verifier your app already stored.
Keep S256 selected unless a provider explicitly requires plain.
Click Update challenge to derive the final challenge value.
Copy the verifier and challenge separately so the later token exchange uses the exact same verifier bytes.

Why S256 Differs from plain

plain reuses the verifier as the challenge. S256 hashes the verifier bytes with SHA-256 and then Base64URL-encodes the digest without padding. That extra derivation step is where most PKCE copy-and-encoding mistakes happen.

FAQ

Can I regenerate the verifier from the challenge later?

No. The verifier is the original secret. The challenge is a derived value, not a reversible encoding.

Why validate the verifier length here?

Because many “invalid verifier” errors come from strings outside the RFC 7636 bounds or from characters outside the allowed set.

Does this page send anything to a server?

No. PKCE verifier generation, SHA-256 hashing, and Base64URL output all stay in your browser.