1. Overview

oauth2.dev is a developer tool site for OAuth 2.0 and OpenID Connect. Some tools run entirely in your browser. Others send requests to oauth2.dev so the server can fetch remote endpoints, validate protocol behavior, generate reports, or power hosted features such as Mock IdPs and dashboards.

We try to keep data handling narrow, useful, and proportionate to the job the tool is performing. We do not sell personal data.

2. Data You Provide

Depending on the feature you use, oauth2.dev may receive:

• endpoint URLs, issuer URLs, JWKS documents, OpenID metadata, or other protocol inputs submitted to validators and test tools
• OAuth parameters submitted to flow-testing tools, such as client identifiers, redirect URIs, scopes, codes, PKCE values, or token endpoint request fields
• account information and configuration data if you sign in and use dashboard or hosted Mock IdP features
• messages you send directly, such as support or feedback emails

3. Operational Telemetry and Logs

We collect lightweight operational telemetry to understand whether the tools are being used, whether validations are succeeding, and whether the service is healthy.

That telemetry can include:

• the tool or route being used
• the endpoint URL or query submitted for validation or lookup
• success or failure status
• warning and error counts
• response timing and similar operational details

Some of these operational events are delivered to a Discord webhook used for service awareness and lightweight internal metrics. The goal is operational visibility, not behavioral profiling.

4. How We Use Information

• to provide the tool or feature you requested
• to fetch and validate remote OAuth or OIDC endpoints
• to run hosted Mock IdP and dashboard features
• to monitor reliability, troubleshoot failures, and prevent abuse
• to improve the product and understand which tools are useful

5. Ads, Sponsorships, and Analytics

oauth2.dev may include privacy-respecting advertising or sponsorships. We do not use tool inputs such as submitted endpoint URLs, validation results, tokens, or keys for behavioral ad targeting.

The site may also use basic product analytics or hosting analytics. When third-party providers are involved, their systems may process standard web request data under their own policies.

6. What You Should Avoid Submitting

Do not submit production secrets, confidential client secrets, sensitive user tokens, or private data to server-assisted tools unless you are comfortable with that processing. If a tool needs server-side validation or endpoint fetching, the submitted data may transit oauth2.dev infrastructure to complete the request.

For safer local experimentation, prefer test credentials and non-production environments.

7. Sharing and Service Providers

We may share data with service providers that help us operate the site, such as hosting, authentication, billing, email, and operational notification vendors. We may also disclose information when required by law or when reasonably necessary to protect the service, users, or others.

8. Your Choices

• You can choose not to use server-assisted tools for sensitive material.
• You can avoid creating an account if you only need public tools.
• You can block or limit cookies and similar browser storage using your browser settings, although some features may stop working.

9. Contact

Questions about privacy or data handling can be sent to privacy@oauth2.dev.

For a higher-level explanation of how the public tools work, see the homepage and the tool descriptions in the tools directory.