How to Test OAuth2 Flows — A Practical Walkthrough
OAuth2 looks complicated until you trace one request at a time. This guide uses a free public sandbox so you can practice every step — and intentionally break it — without setting up a real Identity Provider.
Which flow are you actually testing?
| Flow | When | Sandbox supports |
|---|---|---|
| Client credentials | Service-to-service (no user) | Yes — POST /auth/oauth |
| Resource owner password | First-party legacy clients | Yes — POST /auth/token |
| Authorization code + PKCE | SPAs and mobile apps | Roadmap |
Client-credentials in one curl
curl -X POST https://demo.totalshiftleft.ai/auth/oauth \
-d "grant_type=client_credentials&client_id=demo&client_secret=demo-secret"
# → { "access_token":"eyJhbGc...", "token_type":"Bearer", "expires_in":3600 }Decode the JWT
Paste the access_token into jwt.io or run:
echo "eyJhbGc..." | cut -d. -f2 | base64 -dYou'll see claims like sub, scope, exp. Test what your client does when exp is in the past — many clients silently retry forever.
The four bugs you must catch
- Expired token — wait until
exppasses, then call a protected endpoint. Expect 401. - Wrong scope — call an admin endpoint with a user-scope token. Expect 403, not 401.
- Missing token — omit the header entirely. Expect 401 with a
WWW-Authenticateresponse header. - Token replay after revocation — POST /auth/revoke, then retry. Expect 401.
Refresh-token rotation
POST /auth/refresh
{ "refresh_token": "rt_abc..." }
# → returns a new access_token AND a new refresh_token
# the old refresh_token is now invalid (rotation)If your client uses the old refresh_token after rotation, you have a security bug. Test it deliberately.
Postman setup
- Collection → Authorization → Type OAuth 2.0
- Token Name: anything. Grant Type: Client Credentials
- Access Token URL:
https://demo.totalshiftleft.ai/auth/oauth - Client ID:
demo· Client Secret:demo-secret - Click Get New Access Token → use it
Where to test next
- Repeat the flow against GraphQL — same tokens work
- Read about OWASP API Security Top 10 testing
Frequently asked questions
Are these credentials safe to share?
They only work against demo.totalshiftleft.ai. Treat issued tokens as throwaway.
Can I get a refresh token?
Yes. The /auth/token endpoint returns refresh_token alongside access_token.
Other free public APIs in this sandbox
Open the live sandbox — REST, GraphQL, SOAP and auth in one place. No signup, no API key.
Open the API Sandbox →Topics: how to test OAuth2 · OAuth2 client credentials example · JWT testing · refresh token tutorial · OAuth2 sandbox