The code_challenge parameter is optional but recommended.Your user will be prompted to log in to OpenRouter and authorize your app. After authorization, they will be redirected back to your site with a code parameter in the URL:
Use SHA-256 for Maximum SecurityFor maximum security, set code_challenge_method to S256, and set code_challenge to the base64 encoding of the sha256 hash of code_verifier.For more info, visit Auth0’s docs.
The following example leverages the Web Crypto API and the Buffer API to generate a code challenge for the S256 method. You will need a bundler to use the Buffer API in the web browser:
import { Buffer } from 'buffer';async function createSHA256CodeChallenge(input: string) { const encoder = new TextEncoder(); const data = encoder.encode(input); const hash = await crypto.subtle.digest('SHA-256', data); return Buffer.from(hash).toString('base64url');}const codeVerifier = 'your-random-string';const generatedCodeChallenge = await createSHA256CodeChallenge(codeVerifier);
Localhost callbacks are supported on any port. This is useful for CLI tools and local-first apps that bind to an arbitrary free OS port for the OAuth callback (e.g. http://localhost:51423/callback).
Localhost apps are assigned a fixed title matching the host and port (e.g. localhost:3000) but will not appear in the OpenRouter marketplace or rankings. If you want a custom app name and marketplace presence, use a public URL as the callback instead.
When moving to production, replace the localhost callback URL with a public URL (your project website or a GitHub repo link) to get full app attribution.