PKCE (Proof Key for Code Exchange, pronounced “pixy”) is an extension to OAuth 2.0 that protects against authorization code interception. Required for all public clients as of OAuth 2.1.
The problem it solves
In the classic OAuth flow, if an attacker intercepts the authorization code (via a malicious app, a compromised redirect, or a log leak), they can exchange it for an access token. PKCE makes the interception useless.
How it works
- The client generates a random code verifier (43-128 bytes).
- It hashes the verifier with SHA-256 and sends the hash as a code challenge in the authorization request.
- After the user authorizes, the client exchanges the code and the original verifier at the token endpoint.
- The server hashes the verifier and confirms it matches the challenge from step 2.
Without the original verifier, an intercepted code is useless.
When to use it
Always. PKCE is now required for:
- Public clients (SPAs, mobile apps)
- Native desktop apps
- CLIs using the device flow
For confidential clients (server-side apps with a secret), PKCE is still recommended as defense in depth.
See the full auth glossary for related terms.