Inspectors

OAuth 2.0 helper (PKCE + URLs)

Generate PKCE values, build authorize URLs, parse return URLs.

Install for Chrome →All features

Tools → Inspect → OAuth 2.0 helper · 7-day free trial · Premium $9.99 / yr

Try it now·runs locally · nothing uploaded

PKCE values for your OAuth 2.0 flow

code_verifier

—

Keep this secret. You'll need it on the token exchange.

code_challenge (S256)

—

Send in authorize URL with code_challenge_method=S256.

state

—

Send in authorize URL, verify on return to prevent CSRF.

Want this and 50 more tools at one keyboard shortcut, with collections and persistence?Install free trial →

★ Premium

Built for the things AI can’t fake

This tool runs free, right here. The extension adds three things a web widget can’t:

Start 7-day trial→

★ Flagship

Playground

↗

JS / TS scratchpad — sandboxed and instrumented.

Paste real code, hit Run. Console + network monitor + watch expressions all in one panel.

·Real ES modules · top-level await
·URL imports — esm.sh & friends
·Live fetch monitor (every call)
·Watch expressions in your scope
·10s sandbox timeout · zero CORS pain

HTTP client

↗

Postman-style request runner.

Save collections, share variables, hit any API. Includes GraphQL with introspection, OpenAPI / cURL import.

·Bearer / Basic / API-key auth
·GraphQL · introspection
·OpenAPI 3.x · cURL import
·Copy as fetch / axios / Python

Realtime (WS + SSE)

↗

Stream-protocol tester — what Postman doesn’t do well.

WebSocket + Server-Sent Events with custom auth headers, auto-reconnect, JSON pretty-print.

·wss:// + ws:// + subprotocols
·SSE via fetch — Authorization works
·Auto-reconnect with backoff
·Send composer · ⌘ + Enter

What it does

OAuth 2.0 with PKCE is the standard auth flow for SPAs, mobile apps, and CLIs. You generate a code_verifier, derive a code_challenge (SHA-256 + base64url), include it in the authorize URL, and exchange the returned code (plus the verifier) for tokens.

The OAuth helper does all of that locally: generates the cryptographically-strong values, assembles the authorize URL with your client_id / redirect_uri / scope, and parses the redirect-back URL to surface the code, state, errors, and any id_token (decoded as a JWT).

Why use VibeGear's oauth 2.0 helper (pkce + urls)

✓64-char verifier from the RFC 7636 alphabet
✓S256 challenge via crypto.subtle — exactly what the spec wants
✓Return URL parser highlights code / id_token (green) and error (red)
✓id_token claims decoded inline as a JWT

How to use it

1Tools → Inspect → OAuth 2.0 helper.
2Click Regenerate for fresh PKCE values.
3Fill in client_id / redirect_uri / scope; copy the authorize URL.
4After the IdP redirects back, paste the URL into the parser to see what came back.

Related tools

JWT debugger

Decode tokens, see claims, spot expired sessions.

JWT signer (HMAC)

Mint test JWTs with arbitrary claims and a secret.

★ Premium

One install. Every tool above.

7 days free, then VibeGear Premium is $9.99 / €9.99 per year. Everything runs locally.

Install & start trial →→