State / Nonce Generator

Generate cryptographically secure state and nonce values for OAuth2 and OpenID Connect flows

Length 16–128 characters (32 recommended)

Regenerate

state CSRF protection

Click generate

nonce Replay protection (OIDC)

—

Usage in Authorization Request

Generate values first to see the example

Security Note: All values are generated entirely in your browser using the Web Crypto API. Nothing is sent to any server.

State & Nonce in OAuth2 / OIDC

Why these parameters matter for secure authorization flows

What is State?

The state parameter binds the authorization request to the callback. It prevents CSRF attacks by ensuring the response matches the request you initiated. Store it in a session or cookie before redirecting, then verify it when the user returns.

What is Nonce?

The nonce parameter is used primarily in OpenID Connect flows. It is sent with the authorization request and must appear in the id_token claim. It prevents replay attacks by ensuring the ID token was issued in response to your specific request.

Character Set

Both values use the unreserved character set from RFC 3986: A-Za-z0-9-._~. This makes them URL-safe and suitable for query parameters or fragments without encoding.

Building OAuth2 or OIDC into your app?

AuthAction handles state validation, nonce verification, and PKCE out of the box — so you don't have to.

Frontend Authentication Contact Us