Skip to main content

What is PKCE?

PKCE (pronounced “pixie”) is a security extension to OAuth 2.0 that prevents authorization code interception attacks. It’s mandatory in OAuth 2.1.

The Problem

Without PKCE, an attacker who intercepts an authorization code can exchange it for tokens:

The Solution

PKCE adds cryptographic proof that the same client completing the flow started it:

How It Works

1

Generate Code Verifier

Client generates a random 32-byte string:
2

Create Code Challenge

Hash the verifier with SHA-256:
3

Send Challenge

Include challenge in authorization request:
4

Store Verifier

Client stores verifier securely (e.g., sessionStorage)
5

Send Verifier

Include verifier when exchanging code:
6

Server Verifies

Server computes challenge from verifier and compares:

Implementation

Using Auth-Agent SDK

The SDK handles PKCE automatically:

Manual Implementation

Security Benefits

Even if an attacker intercepts the authorization code, they cannot use it without the verifier.
Unlike client secrets, the verifier is never shared or registered in advance.
Effective in browsers, mobile apps, and SPAs where secrets can’t be kept.
OAuth 2.1 makes PKCE mandatory for all authorization code flows.

Common Issues

Verifier Not Found: Make sure you’re storing the verifier before redirecting and retrieving it correctly after callback.
PKCE Verification Failed: The verifier must be the exact same value that generated the challenge. Check for encoding issues.

References

Next Steps

Token Management

Learn about token lifecycle

Security Best Practices

Security recommendations