Skip to content

What is PKCE

Key idea:

PKCE (Proof Key for Code Exchange, RFC 7636) — an OAuth 2.0 extension protecting the authorization code from theft in public clients (SPAs, mobile apps without secure storage). Client generates a random code_verifier → sends a hash (code_challenge) in the authorize URL → at token exchange sends the original verifier back. Without PKCE, an attacker who intercepts the code can mint an access_token.

Below: details, example, related terms, FAQ.

Check your site's security →

Details

  • code_verifier: random 43-128-char string (unique per auth attempt)
  • code_challenge: base64url(sha256(code_verifier))
  • code_challenge_method: S256 (only supported)
  • Authorize URL: adds code_challenge + method
  • Token exchange: sends the code_verifier instead of client_secret

Example

code_verifier = base64url(random(32))   // "dBjftJeZ..."
code_challenge = base64url(sha256(code_verifier))
auth_url = authorize?client_id=X&code_challenge=CC&code_challenge_method=S256

Related Terms

How PKCE Enhances OAuth 2.0 Security

PKCE (Proof Key for Code Exchange) significantly enhances the security of OAuth 2.0 by addressing vulnerabilities associated with public clients. Traditional OAuth 2.0 relies on client secrets to secure authorization codes, which is not feasible for public clients like Single Page Applications (SPAs) or mobile apps. These environments cannot store secrets securely, making them susceptible to attacks.

PKCE mitigates this risk by introducing a dynamic mechanism for verifying the identity of the client during the token exchange process. The main components of PKCE are:

  • code_verifier: A high-entropy cryptographic random string generated by the client.
  • code_challenge: A hashed version of the code_verifier sent in the authorization request.

When a client requests an access token, it sends the previously generated code_verifier along with the authorization code. The authorization server then hashes this code_verifier and compares it with the original code_challenge. If they match, it confirms the client’s identity. This process prevents attackers from using intercepted authorization codes, as they would not possess the corresponding code_verifier.

In summary, PKCE transforms OAuth 2.0 from a vulnerable protocol into a more secure one, especially for public clients, by introducing a mechanism that ensures only the legitimate client can exchange the authorization code for an access token.

Implementing PKCE in Your Application

Implementing PKCE in your application involves a series of steps to ensure secure authorization code exchange. Below is a practical guide to implementing PKCE in a typical OAuth 2.0 flow:

  1. Generate the code_verifier: Create a random string that will serve as your code_verifier. For example:
const codeVerifier = generateRandomString(128);
  1. Create the code_challenge: Hash the code_verifier using SHA-256 and then base64 URL-encode the result. For example:
const codeChallenge = base64UrlEncode(sha256(codeVerifier));
  1. Send the authorization request: Include the code_challenge in the authorization request URL:
GET /authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&code_challenge=codeChallenge&code_challenge_method=S256
  1. Exchange the authorization code for an access token: When the user is redirected back to your application, send the code_verifier along with the authorization code to the token endpoint:
POST /token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri=REDIRECT_URI&client_id=CLIENT_ID&code_verifier=codeVerifier

By following these steps, you can effectively implement PKCE in your application, enhancing its security against common attacks.

Common PKCE Misconfigurations and How to Avoid Them

While PKCE is a robust security measure for OAuth 2.0, misconfigurations can still expose your application to vulnerabilities. Below are some common pitfalls and best practices to avoid them:

  • Inconsistent code_verifier generation: Ensure that the code_verifier is generated securely and consistently. Use a strong random number generator to create the code_verifier, and ensure it is unique for each authorization request.
  • Improper hashing of code_verifier: Use a secure hashing algorithm, such as SHA-256, to create the code_challenge. Avoid weaker algorithms, as they may be susceptible to collision attacks.
  • Ignoring the code_challenge_method parameter: Always specify the code_challenge_method as 'S256' when using SHA-256. Failing to do so can lead to compatibility issues with the authorization server.
  • Not validating the redirect_uri: Ensure that the redirect_uri used in the token exchange matches the one specified in the authorization request. This helps prevent open redirect vulnerabilities.

By being aware of these common misconfigurations and following best practices, you can effectively secure your implementation of PKCE and safeguard your application from potential threats.

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Learn more

Frequently Asked Questions

Is PKCE needed for confidential clients (server-side)?

Recommended (OAuth 2.1 draft) but not required. For public clients (SPA, mobile) — mandatory.

Do all providers support it?

All major ones: Google, GitHub, Microsoft, Auth0, Okta, Keycloak. Yandex OAuth since 2022.

Plain vs S256 method?

S256 (SHA-256) only in production. Plain (verifier=challenge) is legacy and insecure.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.