Question 1

What is PKCE?

Accepted Answer

PKCE (Proof Key for Code Exchange, pronounced 'pixie') is a security extension to the OAuth 2.0 Authorization Code flow (RFC 7636). It prevents authorization code interception attacks by binding the authorization request to the token exchange request using a cryptographic code challenge.

Question 2

When should I use PKCE?

Accepted Answer

PKCE is required for public clients that cannot safely store a client secret — native mobile apps, single-page applications (SPAs), and desktop apps. It is also recommended for all OAuth 2.0 Authorization Code flows including server-side apps.

Question 3

What is code_verifier vs code_challenge?

Accepted Answer

The code_verifier is a random 43–128 character string generated by the client. The code_challenge is the SHA-256 hash of the code_verifier, Base64URL-encoded. You send code_challenge in the authorization request and code_verifier in the token exchange.

Question 4

What code_challenge_method should I use?

Accepted Answer

Always use S256 (SHA-256). The plain method is only allowed when S256 is not possible and offers no real security benefit. Modern authorization servers require S256.

Question 5

How do I use the generated values?

Accepted Answer

1. In your /authorize request, include: code_challenge=&code_challenge_method=S256. 2. After the user authenticates and you receive the code, include code_verifier= in your /token request. The authorization server verifies that SHA256(code_verifier) matches code_challenge.

Question 6

What is PKCE in OAuth 2.0?

Accepted Answer

PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks in OAuth 2.0 public clients (SPAs, mobile apps). The client generates a random code_verifier, hashes it as code_challenge (SHA-256), and sends the hash with the authorization request. The authorization server verifies the original verifier when exchanging the code for tokens.

Question 7

How do I implement PKCE in my OAuth flow?

Accepted Answer

Generate a cryptographically random 43-128 character code_verifier. Compute code_challenge = base64url(sha256(code_verifier)). Send code_challenge and code_challenge_method=S256 with your authorization request. When exchanging the authorization code, include the original code_verifier. This tool generates compliant PKCE pairs for testing your OAuth implementation.

PKCE Generator — Free Online Code Verifier and Challenge Generator

Frequently Asked Questions

PKCE for Secure OAuth 2.0

Related Tools

OIDC Debugger

OAuth Token Inspector

JWT Decoder

API Key Generator