Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreidsbau3iqjc5am44j3gcruqoiwwntj7m3ochwtmlqyfr2dhsjjvla",
    "uri": "at://did:plc:5sgu76a53rz3n6unbykmovqy/app.bsky.feed.post/3mloetzlkxwi2"
  },
  "description": "PKCE (Proof Key for Code Exchange), pronounced \"pixy\", is an extension to the OAuth 2.0 Authorization Code flow that protects against authorization code interception attacks. It was originally designed for native mobile apps but is now the recommended default for all clients, including server-side and single-page applications.\n\n\nHow it works\n\nThe client generates a high-entropy random string called the code verifier and derives a code challenge from it using SHA-256. The client sends the code ch",
  "path": "/engineering-glossary/pkce-proof-key-code-exchange/",
  "publishedAt": "2026-05-12T18:04:52.000Z",
  "site": "https://sahilkapoor.com",
  "tags": [
    "RFC 7636",
    "OAuth 2.0",
    "OIDC",
    "Authorization Server",
    "JWT",
    "Bearer Token"
  ],
  "textContent": "**PKCE (Proof Key for Code Exchange)** , pronounced \"pixy\", is an extension to the OAuth 2.0 Authorization Code flow that protects against authorization code interception attacks. It was originally designed for native mobile apps but is now the recommended default for all clients, including server-side and single-page applications.\n\n## How it works\n\nThe client generates a high-entropy random string called the **code verifier** and derives a **code challenge** from it using SHA-256. The client sends the code challenge with the initial authorization request. When exchanging the authorization code for an access token, the client also sends the original code verifier. The authorization server verifies that the verifier hashes to the same challenge, proving that the same client that started the flow is finishing it.\n\nEven if an attacker intercepts the authorization code, they cannot exchange it for tokens without the original verifier, which never leaves the legitimate client.\n\n## Specification\n\nDefined by RFC 7636. OAuth 2.1 requires PKCE for the Authorization Code flow regardless of client type.\n\n🔗\n\n**Related Terms**\nOAuth 2.0, OIDC, Authorization Server, JWT, Bearer Token.",
  "title": "PKCE",
  "updatedAt": "2026-05-13T19:15:16.619Z"
}