Proof Key for Code Exchange (PKCE) is an OAuth 2.0 security extension defined in RFC 7636 that mitigates authorization code interception attacks in public clients, such as mobile apps and single-page applications (SPAs). It works by having the client create a cryptographically random code verifier and its transformed code challenge at the start of the flow. The client sends the challenge with the initial authorization request and must later present the original verifier when exchanging the authorization code for an access token, proving it originated the request.
Glossary
Proof Key for Code Exchange (PKCE)

What is Proof Key for Code Exchange (PKCE)?
Proof Key for Code Exchange (PKCE, pronounced 'pixy') is a critical security extension to the OAuth 2.0 Authorization Code flow, specifically designed to protect public clients from authorization code interception attacks.
This mechanism prevents a malicious actor who intercepts the authorization code from being able to use it, as they lack the original code verifier. PKCE is now considered a security best practice for all OAuth 2.0 clients, including confidential ones, and is a mandatory requirement for OAuth 2.1. It is a foundational component for securing autonomous AI agents and other machine-to-machine workflows that must authenticate with external APIs using the OAuth framework without a traditional user present.
Key Security Features of PKCE
Proof Key for Code Exchange (PKCE, pronounced 'pixy') is an OAuth 2.0 extension designed to protect public clients. Its core security features prevent authorization code interception and injection attacks.
Code Verifier & Code Challenge
The foundation of PKCE is the code verifier, a high-entropy cryptographic random string created by the client. The client then generates a code challenge by transforming the verifier (typically using the S256 SHA-256 hash). The challenge is sent to the authorization server during the initial request, while the verifier is kept secret. This binds the subsequent token request to the original authorization request.
- Code Verifier: A cryptographically random string of 43-128 characters (A-Z, a-z, 0-9, '-', '.', '_', '~').
- Code Challenge: The transformed verifier, sent as part of the initial
/authorizerequest.
Mitigating Authorization Code Interception
PKCE was created to defend against the authorization code interception attack, a primary threat to public clients (mobile apps, SPAs). In a standard OAuth flow without PKCE, an attacker who intercepts the authorization code can exchange it for tokens. PKCE prevents this because the attacker cannot generate a valid token request without the original, secret code verifier that corresponds to the code challenge sent initially. Even if the code is stolen from the redirect URI, it is useless without the verifier held by the legitimate client.
S256 vs. Plain Challenge Method
PKCE defines two transformation methods for creating the code challenge from the verifier:
S256: The verifier is hashed with SHA-256, then Base64URL-encoded. This is the recommended and most secure method, as it never exposes the original verifier.plain: The verifier is used as the challenge without transformation. This method is provided for compatibility but should be avoided as it offers no security benefit if the challenge is observed. RFC 7636 mandates support forS256.
Protection Against Malicious Clients
PKCE also provides a layer of defense in scenarios involving malicious or compromised client applications. If a malicious app registers a custom URI scheme also used by a legitimate app, it could potentially capture authorization codes. PKCE mitigates this risk because the malicious app would not possess the correct code verifier generated by the legitimate app at the start of its flow. This makes code replay attacks significantly more difficult.
Native & SPA Application Security
PKCE is particularly critical for clients that cannot securely store a client secret, which includes:
- Single-Page Applications (SPAs): JavaScript running in the browser cannot protect a secret.
- Mobile & Desktop Native Apps: Apps distributed to end-user devices are considered 'public clients' as their embedded secrets can be extracted. For these clients, PKCE provides the primary proof that the entity redeeming an authorization code is the same one that initiated the request, effectively substituting for a client secret in the token request phase.
Required Flow for OAuth 2.1
The importance of PKCE is underscored by its elevation in OAuth 2.1, which consolidates and simplifies the OAuth 2.0 specification. In OAuth 2.1:
- The Authorization Code Flow with PKCE is the required flow for all OAuth clients, whether public or confidential.
- The implicit grant and resource owner password credentials flows are removed.
- The authorization code flow without PKCE is deprecated. This change reflects the security industry's consensus that PKCE's benefits are essential for modern application security and should be universally adopted.
Frequently Asked Questions
Proof Key for Code Exchange (PKCE, pronounced 'pixy') is a critical extension to the OAuth 2.0 Authorization Code flow, specifically designed to protect public clients like mobile and single-page applications from authorization code interception attacks. These questions address its core mechanisms and implementation.
Proof Key for Code Exchange (PKCE) is an OAuth 2.0 security extension that prevents authorization code interception attacks by having the client application cryptographically prove it is the same entity that initiated the authorization request.
It works through a four-step challenge-and-verification process:
- Code Verifier Creation: The client creates a high-entropy cryptographically random string called the
code_verifier. - Code Challenge Derivation: The client hashes the
code_verifier(using SHA-256) to create acode_challenge. This challenge is sent to the authorization server during the initial authorization request. - Authorization Code Grant: After user consent, the authorization server returns an authorization code to the client, binding it to the
code_challenge. - Token Exchange with Proof: To exchange the authorization code for an access token, the client must send the original
code_verifierto the token endpoint. The server hashes it and verifies it matches the storedcode_challenge. If they match, the token is issued; if not, the request is rejected, thwarting a stolen code.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
PKCE operates within a broader ecosystem of standards and technologies designed to secure authentication, authorization, and credential handling. Understanding these related concepts is essential for implementing robust security for public clients.
Authorization Code Flow
The OAuth 2.0 Authorization Code Grant is the flow secured by PKCE. It is a server-side, multi-step process designed to keep access tokens hidden from the user's browser and potential malicious actors.
- Standard Flow (without PKCE): The client redirects the user to the authorization server. After the user consents, the server redirects back to the client with a short-lived authorization code in the URL query string. The client then exchanges this code, along with its client secret, for an access token via a secure back-channel request.
- The Interception Risk: In a public client, there is no true client secret. An attacker who intercepts the authorization code (e.g., from browser history, logs, or a compromised redirect URI) could exchange it for an access token themselves. This is known as an Authorization Code Interception Attack.
- PKCE's Role: PKCE adds a cryptographically bound secret (the code verifier) to this flow, making the intercepted code useless without the original verifier known only to the legitimate client.
Code Verifier & Code Challenge
These are the two core cryptographic components introduced by PKCE.
- Code Verifier: A high-entropy cryptographically random string created by the client. It is typically 43-128 characters long, using characters
[A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~". The client must keep this secret. - Code Challenge: A derived value sent to the authorization server during the initial authorization request. The client creates it by transforming the code verifier.
S256Method (Recommended): The code challenge is the Base64URL-encoded SHA-256 hash of the code verifier. This prevents the original verifier from being exposed even if the challenge is intercepted.plainMethod: The code challenge is the verifier itself (not recommended unlessS256is unavailable).
- The Binding: When the client later exchanges the authorization code for a token, it must present the original code verifier. The authorization server recalculates the challenge from this verifier and compares it to the initial challenge it stored. A match proves this client initiated the original request.
Public Client
A Public Client is any OAuth 2.0 client application that cannot securely store a client secret. This inability is inherent to its architecture, not a configuration choice.
- Examples: Native mobile apps (iOS, Android), single-page applications (SPA) running in a web browser, and desktop applications.
- The Security Problem: These clients execute in an environment controlled by the resource owner (the user's device/browser). Any embedded secret can be extracted through reverse engineering or debugging, making it not truly secret. Therefore, the traditional OAuth Authorization Code flow, which relies on a client secret for the code exchange, is insecure for them.
- PKCE as the Solution: PKCE was specifically designed to secure the Authorization Code flow for public clients without requiring a static client secret. It replaces the secret's function with the dynamically generated, transaction-specific code verifier, providing proof of origin for the token request.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us