What is PKCE (Proof Key for Code Exchange)?

PKCE is an extra security layer for the OAuth 2.0 authorization code flow. It is mainly used in public clients like mobile apps, SPAs, and native apps that cannot safely store a client secret.

Here’s how it works:

At the start of login, the client creates a code verifier and a code challenge. The challenge is sent with the authorization request. Later, when exchanging the authorization code for tokens, the client must send the original code verifier. The identity provider checks if the verifier matches the challenge.

This prevents attackers from stealing or tampering with the authorization code. In identity management, PKCE helps ensure secure logins without requiring stored secrets.