Inferensys

Glossary

Proof Key for Code Exchange (PKCE)

Proof Key for Code Exchange (PKCE, pronounced 'pixy') is an extension to the OAuth 2.0 Authorization Code flow designed to prevent authorization code interception attacks, particularly in public clients like mobile and single-page applications.
Developer testing AI inference on mobile phone in hand, laptop with optimization code visible, casual tech review moment.
SECURE CREDENTIAL MANAGEMENT

What is Proof Key for Code Exchange (PKCE)?

Proof Key for Code Exchange (PKCE, pronounced 'pixy') is a critical security extension to the OAuth 2.0 Authorization Code flow, specifically designed to protect public clients from authorization code interception attacks.

Proof Key for Code Exchange (PKCE) is an OAuth 2.0 security extension defined in RFC 7636 that mitigates authorization code interception attacks in public clients, such as mobile apps and single-page applications (SPAs). It works by having the client create a cryptographically random code verifier and its transformed code challenge at the start of the flow. The client sends the challenge with the initial authorization request and must later present the original verifier when exchanging the authorization code for an access token, proving it originated the request.

This mechanism prevents a malicious actor who intercepts the authorization code from being able to use it, as they lack the original code verifier. PKCE is now considered a security best practice for all OAuth 2.0 clients, including confidential ones, and is a mandatory requirement for OAuth 2.1. It is a foundational component for securing autonomous AI agents and other machine-to-machine workflows that must authenticate with external APIs using the OAuth framework without a traditional user present.

SECURE CREDENTIAL MANAGEMENT

Key Security Features of PKCE

Proof Key for Code Exchange (PKCE, pronounced 'pixy') is an OAuth 2.0 extension designed to protect public clients. Its core security features prevent authorization code interception and injection attacks.

01

Code Verifier & Code Challenge

The foundation of PKCE is the code verifier, a high-entropy cryptographic random string created by the client. The client then generates a code challenge by transforming the verifier (typically using the S256 SHA-256 hash). The challenge is sent to the authorization server during the initial request, while the verifier is kept secret. This binds the subsequent token request to the original authorization request.

  • Code Verifier: A cryptographically random string of 43-128 characters (A-Z, a-z, 0-9, '-', '.', '_', '~').
  • Code Challenge: The transformed verifier, sent as part of the initial /authorize request.
02

Mitigating Authorization Code Interception

PKCE was created to defend against the authorization code interception attack, a primary threat to public clients (mobile apps, SPAs). In a standard OAuth flow without PKCE, an attacker who intercepts the authorization code can exchange it for tokens. PKCE prevents this because the attacker cannot generate a valid token request without the original, secret code verifier that corresponds to the code challenge sent initially. Even if the code is stolen from the redirect URI, it is useless without the verifier held by the legitimate client.

03

S256 vs. Plain Challenge Method

PKCE defines two transformation methods for creating the code challenge from the verifier:

  • S256: The verifier is hashed with SHA-256, then Base64URL-encoded. This is the recommended and most secure method, as it never exposes the original verifier.
  • plain: The verifier is used as the challenge without transformation. This method is provided for compatibility but should be avoided as it offers no security benefit if the challenge is observed. RFC 7636 mandates support for S256.
04

Protection Against Malicious Clients

PKCE also provides a layer of defense in scenarios involving malicious or compromised client applications. If a malicious app registers a custom URI scheme also used by a legitimate app, it could potentially capture authorization codes. PKCE mitigates this risk because the malicious app would not possess the correct code verifier generated by the legitimate app at the start of its flow. This makes code replay attacks significantly more difficult.

05

Native & SPA Application Security

PKCE is particularly critical for clients that cannot securely store a client secret, which includes:

  • Single-Page Applications (SPAs): JavaScript running in the browser cannot protect a secret.
  • Mobile & Desktop Native Apps: Apps distributed to end-user devices are considered 'public clients' as their embedded secrets can be extracted. For these clients, PKCE provides the primary proof that the entity redeeming an authorization code is the same one that initiated the request, effectively substituting for a client secret in the token request phase.
06

Required Flow for OAuth 2.1

The importance of PKCE is underscored by its elevation in OAuth 2.1, which consolidates and simplifies the OAuth 2.0 specification. In OAuth 2.1:

  • The Authorization Code Flow with PKCE is the required flow for all OAuth clients, whether public or confidential.
  • The implicit grant and resource owner password credentials flows are removed.
  • The authorization code flow without PKCE is deprecated. This change reflects the security industry's consensus that PKCE's benefits are essential for modern application security and should be universally adopted.
SECURE CREDENTIAL MANAGEMENT

Frequently Asked Questions

Proof Key for Code Exchange (PKCE, pronounced 'pixy') is a critical extension to the OAuth 2.0 Authorization Code flow, specifically designed to protect public clients like mobile and single-page applications from authorization code interception attacks. These questions address its core mechanisms and implementation.

Proof Key for Code Exchange (PKCE) is an OAuth 2.0 security extension that prevents authorization code interception attacks by having the client application cryptographically prove it is the same entity that initiated the authorization request.

It works through a four-step challenge-and-verification process:

  1. Code Verifier Creation: The client creates a high-entropy cryptographically random string called the code_verifier.
  2. Code Challenge Derivation: The client hashes the code_verifier (using SHA-256) to create a code_challenge. This challenge is sent to the authorization server during the initial authorization request.
  3. Authorization Code Grant: After user consent, the authorization server returns an authorization code to the client, binding it to the code_challenge.
  4. Token Exchange with Proof: To exchange the authorization code for an access token, the client must send the original code_verifier to the token endpoint. The server hashes it and verifies it matches the stored code_challenge. If they match, the token is issued; if not, the request is rejected, thwarting a stolen code.
Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.