PKCE (Proof Key for Code Exchange)
What is PKCE (Proof Key for Code Exchange)?
PKCE (Proof Key for Code Exchange)An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike.
PKCE (Proof Key for Code Exchange, RFC 7636) is an OAuth 2.0 extension originally introduced to protect public clients — mobile apps, single-page apps, native CLIs — from authorization-code interception attacks, and now recommended for every OAuth 2.0 client by the OAuth 2.1 BCPs. The flow adds two parameters. At the authorization request, the client generates a high-entropy `code_verifier`, hashes it (SHA-256) into a `code_challenge`, and sends the challenge to the authorization server. When the client later exchanges the returned authorization code for tokens, it sends the original `code_verifier`; the server hashes it and rejects the exchange unless the result matches the challenge it remembered. Because the verifier never leaves the client until the token exchange, an attacker who intercepts the redirect URL (via a registered scheme on a malicious app, a referrer leak, or a misconfigured intermediate) cannot redeem the code. Modern guidance (OAuth 2.1, FAPI, Entra ID, Auth0, Okta) recommends PKCE for confidential clients too, and many IdPs now enforce it.
● Examples
- 01
A React SPA initiates the OAuth code flow with a SHA-256 `code_challenge`, then exchanges the returned code plus `code_verifier` for tokens from the IdP.
- 02
An IdP rejects an authorization-code grant from a public client that arrived without a matching PKCE verifier, treating it as a sign of interception.
● Frequently asked questions
What is PKCE (Proof Key for Code Exchange)?
An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike. It belongs to the Identity & Access category of cybersecurity.
What does PKCE (Proof Key for Code Exchange) mean?
An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike.
How does PKCE (Proof Key for Code Exchange) work?
PKCE (Proof Key for Code Exchange, RFC 7636) is an OAuth 2.0 extension originally introduced to protect public clients — mobile apps, single-page apps, native CLIs — from authorization-code interception attacks, and now recommended for every OAuth 2.0 client by the OAuth 2.1 BCPs. The flow adds two parameters. At the authorization request, the client generates a high-entropy `code_verifier`, hashes it (SHA-256) into a `code_challenge`, and sends the challenge to the authorization server. When the client later exchanges the returned authorization code for tokens, it sends the original `code_verifier`; the server hashes it and rejects the exchange unless the result matches the challenge it remembered. Because the verifier never leaves the client until the token exchange, an attacker who intercepts the redirect URL (via a registered scheme on a malicious app, a referrer leak, or a misconfigured intermediate) cannot redeem the code. Modern guidance (OAuth 2.1, FAPI, Entra ID, Auth0, Okta) recommends PKCE for confidential clients too, and many IdPs now enforce it.
How do you defend against PKCE (Proof Key for Code Exchange)?
Defences for PKCE (Proof Key for Code Exchange) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for PKCE (Proof Key for Code Exchange)?
Common alternative names include: RFC 7636, Proof Key for Code Exchange.
● Related terms
- identity-access№ 839
OAuth 2.0
An open authorization framework that lets a resource owner grant a third-party application limited, scoped access to an API without sharing credentials.
- identity-access№ 852
OpenID Connect (OIDC)
An identity layer built on top of OAuth 2.0 that lets clients verify a user's identity and obtain basic profile information via signed ID tokens.
- identity-access№ 090
Authorization
The process of deciding what an already-authenticated identity is allowed to do — which resources, actions and conditions are permitted.
- identity-access№ 642
JWT (JSON Web Token)
Compact, URL-safe token format (RFC 7519) that carries signed JSON claims, widely used as access tokens, ID tokens, and session containers.
- identity-access№ 089
Authentication
The process of verifying that an entity — user, device or service — really is who or what it claims to be before granting access.
- identity-access№ 395
DPoP (Demonstrating Proof of Possession)
An OAuth 2.0 extension (RFC 9449) that binds access tokens to a per-client key pair, so a stolen bearer token cannot be replayed by an attacker without also stealing the private signing key.