PKCE

PKCE (Proof Key for Code Exchange), pronounced "pixy", is an extension to the OAuth 2.0 Authorization Code flow that protects against authorization code interception attacks. It was originally designed for native mobile apps but is now the recommended default for all clients, including server-side and single-page applications.

How it works

The client generates a high-entropy random string called the code verifier and derives a code challenge from it using SHA-256. The client sends the code challenge with the initial authorization request. When exchanging the authorization code for an access token, the client also sends the original code verifier. The authorization server verifies that the verifier hashes to the same challenge, proving that the same client that started the flow is finishing it.

Even if an attacker intercepts the authorization code, they cannot exchange it for tokens without the original verifier, which never leaves the legitimate client.

Specification

Defined by RFC 7636. OAuth 2.1 requires PKCE for the Authorization Code flow regardless of client type.