Skip to tool

OAUTH RELEASE FIREWALL

OAuth Redirect URI & PKCE Attack Surface Lab

Find OAuth client configuration mistakes that can turn a harmless login button into redirect hijack, token leakage or account-takeover risk.

Reviewed 2026-07-08

Security
Exact redirectsPKCE S256State/nonceYAML gateJSON receipt

Loading OAuth Redirect URI & PKCE Attack Surface Lab...

Why this is different

OAuth client reviews often hide dangerous details in spreadsheets: wildcard callbacks, preview domains, open redirect parameters, implicit flow and missing PKCE/state. This lab turns those rows into a risk map, a client ledger and a release gate that can be reviewed before the app ships.