Stateless mock provider

Mock OAuth 2.0 / OIDC

A fully stateless mock OAuth 2.0 and OpenID Connect provider. Any client_id and client_secret pair is accepted. Codes, access tokens and refresh tokens are base64url-encoded JSON documents that carry every claim needed to continue the flow — so no database is required.

Endpoints

Discovery/.well-known/openid-configuration
Authorization/authorize
Token/token
UserInfo/userinfo
Revocation/revoke
JWKS (empty, HS256)/.well-known/jwks.json

Try it

Launch an authorization request with any client_id and redirect_uri:

Start demo flow →

Error simulation

Any client_id that starts with error: triggers a deterministic failure at a specific stage of the OAuth lifecycle. Format: error:<stage>[:<oauth_error_code>].

client_id	Effect
error:authorize	/authorize renders a 400 page (before consent is shown).
error:authorize_redirect	Consent redirects back to the client with ?error=access_denied.
error:authorize_redirect:server_error	Same as above but with a custom OAuth error code.
error:token_exchange	/token returns invalid_grant when exchanging the authorization code.
error:token_exchange:invalid_client	/token returns the specified OAuth error code (401 for invalid_client).
error:refresh	/token refresh_token grant returns invalid_grant.
error:client_credentials	/token client_credentials grant returns invalid_client.
error:userinfo	/userinfo returns 401 invalid_token (after a successful token exchange).
error:introspect	/introspect returns a JSON error body.
error:id_token	Tokens are issued successfully, but the id_token signature is corrupted.
error:slow:2000	/token sleeps for 2000 ms before responding (param = delay in ms).
error:all	Fails at every stage that supports it (skips id_token and slow).

Supported features

• Authorization Code grant
• Refresh Token grant
• PKCE (plain + S256)
• OpenID Connect id_token (HS256)
• Arbitrary scopes & redirect URIs
• UserInfo endpoint
• Token revocation endpoint
• Custom sub / email / name per session