Walk through the complete OAuth2 Authorization Code flow step by step — see every URL, parameter, and token exchange in real time.
Construct the URL to redirect the user to the provider's login page with response_type=code, scope, and a random state parameter for CSRF protection.
User logs in at the provider and grants permission to your app's requested scopes. Provider redirects back to your redirect_uri with an authorization code.
Verify the returned state matches the one you sent (CSRF check). Extract the code from the callback URL query parameters.
POST to the token endpoint with your client_secret, code, and redirect_uri. Receive access_token and optionally a refresh_token.
Use the access_token in an Authorization: Bearer header to call the provider's userinfo endpoint and retrieve the authenticated user's data.
Full version includes PKCE support, token refresh logic, multiple provider configs, session storage, and production-ready error handling.
Buy Full Version — $14.99