What is PKCE (Proof Key for Code Exchange)?

An extension to OAuth 2.0 Authorization Code flow that protects against code interception for public clients (SPAs, mobile apps).

Full explanation

PKCE adds two parameters to the OAuth flow: a `code_verifier` generated by the client and a `code_challenge` sent with the authorization request. The client later proves it initiated the flow by submitting the `code_verifier` at token-exchange time. PKCE is required for every public client per OAuth 2.1.

Example

A mobile app generates a random code_verifier, hashes it with SHA-256 for code_challenge, sends the challenge in the authorize request, and submits the verifier with the code-exchange request. An attacker who intercepts the code alone cannot exchange it for a token.

Related

Guide
OAuth + OIDC security — the PKCE and state checks you cannot skip

FAQ

Do confidential clients need PKCE?

Not strictly, but many authorization servers now require it for everyone. It is a small cost and removes code-interception risk.