Proof Key For Code Exchange (PKCE) flow



OAuth 2.0 public clients (ie browser) utilizing the Authorization Code Grant are susceptible to the authorization code interception attack.

Proof Key for Code Exchange by OAuth Public Clients (PKCE) 1) helps mitigate this attack.

  • the app generate a random value at the beginning of the flow called a Code Verifier.
  • the app hashes the code Verifier and the result is called the code challenge.
  • the app sent the code Challenge during the authorization request
  • the app sent the code challenge for each subsequent request.

It ensures that only the client which requested the token can redeem it

PKCE is pronounced “pixy”.

Documentation / Reference

Discover More
OAuth - Public client

A public client is a client that has a public type. It means that you are not the administrator of the computer whereas with a confidential (private) client you are. A bad agent can scan your application...

Share this page:
Follow us:
Task Runner