A lightweight mock OAuth 2.0 authorization server for local development and testing token refresh flows.
All state is held in memory — restarting the server clears all tokens.
npm install
npm startThe server runs on http://localhost:9090 by default. Set the PORT environment variable to override.
Issues an authorization code and redirects back to the client. Auto-approves all requests (no login screen).
| Query Param | Required | Description |
|---|---|---|
response_type |
Yes | Must be code |
client_id |
Yes | Any client identifier string |
redirect_uri |
Yes | Where to redirect with the auth code |
state |
No | Opaque value passed back to client |
Exchanges credentials for tokens. Supports three grant types:
grant_type=authorization_code — exchange an auth code for an access + refresh token pair.
| Body Param | Required | Description |
|---|---|---|
grant_type |
Yes | authorization_code |
code |
Yes | The authorization code |
client_id |
Yes | Must match original |
redirect_uri |
Yes | Must match original |
grant_type=client_credentials — get an access token directly (no refresh token).
| Body Param | Required | Description |
|---|---|---|
grant_type |
Yes | client_credentials |
client_id |
Yes | Any client identifier |
scope |
No | Defaults to read |
grant_type=refresh_token — exchange a refresh token for a new token pair. The old tokens are invalidated.
| Body Param | Required | Description |
|---|---|---|
grant_type |
Yes | refresh_token |
refresh_token |
Yes | A valid refresh token |
client_id |
Yes | Must match original |
Token expiration is done in store.js#createTokenPair
A protected endpoint that validates the bearer token.
Authorization: Bearer <access_token>
Returns 200 with sample data on success, 401 if the token is missing, invalid, or expired.
Dumps the current in-memory state of all auth codes, access tokens, and refresh tokens. Useful for debugging.
| Token | Lifetime |
|---|---|
| Auth code | 30s |
| Access token | 10s |
| Refresh token | 30s |
A test script is included that walks through the full OAuth flow:
# In one terminal, start the server
npm start
# In another terminal, run the test
bash test-client.sh