Home

PKCE

Proof Key for Code Exchange (PKCE) is an extension to the OAuth 2.0 Authorization Code grant that improves security for public clients, such as mobile or native apps, which cannot securely store a client secret. PKCE helps prevent interception of the authorization code by ensuring that the code obtained in the authorization request can only be exchanged for tokens by the same client that initiated the request. It is defined in RFC 7636 and widely adopted as part of OAuth 2.0 Security Best Current Practice.

How PKCE works: the client generates a code_verifier, a high-entropy cryptographic random string between 43 and

During the token request, the client sends the code_verifier. The server recomputes the code_challenge from the

PKCE is primarily intended for public clients, such as native, mobile, and single-page applications. It does

128
characters.
A
code_challenge
is
derived
from
the
verifier,
typically
by
applying
SHA-256
and
base64url
encoding
the
result;
the
code_challenge_method
is
usually
S256,
though
a
plain
method
is
also
defined
but
not
recommended.
The
client
starts
the
authorization
request
by
including
the
code_challenge
and
code_challenge_method,
but
it
does
not
send
the
code_verifier.
The
authorization
server
stores
the
code_challenge
with
the
issued
authorization
code.
verifier
and
compares
it
to
the
originally
stored
value.
If
they
match,
the
server
issues
the
access
token
(and,
if
configured,
a
refresh
token).
This
binding
between
the
authorization
request
and
the
token
exchange
protects
against
an
attacker
who
might
steal
the
authorization
code.
not
require
a
client
secret,
though
confidential
clients
can
use
PKCE
as
an
additional
safeguard
if
desired.