What is pkce in oauth
Last updated: April 1, 2026
Key Facts
- PKCE stands for 'Proof Key for Public Clients' and is defined in RFC 7636
- It uses a code_verifier and code_challenge mechanism to validate authorization requests
- PKCE is mandatory for mobile apps and single-page applications (SPAs) in modern OAuth implementations
- The technology prevents authorization code interception and token exchange attacks
- Major platforms including Google, Microsoft, and Apple require PKCE for OAuth authentication
Overview
PKCE is an extension to the OAuth 2.0 authorization protocol designed to add an additional layer of security, particularly for public clients that cannot securely store secrets. Public clients include mobile applications, single-page applications (SPAs), and desktop applications where client secrets cannot be reliably protected. PKCE addresses a fundamental vulnerability in the standard OAuth 2.0 authorization code flow.
How PKCE Works
PKCE introduces two additional parameters to the authorization flow: code_verifier and code_challenge. The client generates a random code_verifier, which is a string of 43-128 characters. This verifier is then hashed using SHA-256 to create a code_challenge, which is sent to the authorization server. When the authorization server provides an authorization code, the client must prove ownership by sending the original code_verifier during the token exchange. The server verifies that the hash of the provided verifier matches the original challenge, confirming the request came from the legitimate client.
Security Benefits
PKCE prevents authorization code interception attacks where malicious applications could intercept authorization codes and exchange them for access tokens. Without PKCE, an attacker could potentially use an intercepted authorization code to gain unauthorized access. By requiring the code_verifier to match the code_challenge, PKCE ensures that only the original application that initiated the authorization request can complete the token exchange.
Implementation Requirements
To implement PKCE, developers must:
- Generate a random code_verifier for each authorization request
- Create a code_challenge by hashing the verifier with SHA-256 or plain text
- Include the code_challenge in the authorization request
- Send the original code_verifier during the token exchange step
- Handle the verification response from the authorization server
Current Standards
PKCE has become a standard requirement for OAuth 2.0 implementations. Major identity providers including Google, Microsoft, and Apple now mandate PKCE for public client applications. Industry best practices recommend PKCE for all OAuth 2.0 implementations, not just public clients, as it provides additional security without significant complexity.
Related Questions
What is OAuth 2.0?
OAuth 2.0 is an authorization protocol that allows users to grant third-party applications access to their resources without sharing passwords. It establishes a standardized method for authentication and authorization across web, mobile, and desktop applications.
What is the authorization code flow in OAuth?
The authorization code flow is an OAuth 2.0 process where users are redirected to an authorization server, authenticate, and receive an authorization code that is exchanged for an access token. This flow is the most common method for web and mobile applications.
How is PKCE different from client credentials flow?
Client credentials flow is used for server-to-server authentication where the application itself is the resource owner, while PKCE is used in user-delegated authorization flows to secure public clients that cannot protect client secrets.