Glossary

PROOF KEY FOR CODE EXCHANGE / PKCE
defined.

An OAuth 2.0 extension that prevents authorization code interception attacks, mandatory for public clients (mobile apps, SPAs).

A–Z

What is Proof Key for Code Exchange (PKCE)?

PKCE works by having the client send a high-entropy code_verifier hashed into a code_challenge at authorization time, then proving possession of the verifier when exchanging the code for tokens. RFC 9700 (OAuth 2.1 best practice) mandates PKCE for all clients, public and confidential.

Related terms.

OAuth 2.0
OpenID Connect (OIDC)
JSON Web Token (JWT)
Multi-Factor Authentication (MFA)

Where this shows up.

See our web application penetration testing, API security testing, network penetration testing, and cloud security audit services for how we test for and defend against this class of issue.

Test for this in your stack

BOOK A FREE
scoping call.

30-minute call with an OSCP-certified engineer. Tailored proposal in 24 hours.

Book Free Scoping Call →All Services

PROOF KEY FOR CODE EXCHANGE / PKCEdefined.

What is Proof Key for Code Exchange (PKCE)?

Related terms.

Where this shows up.

BOOK A FREEscoping call.

PROOF KEY FOR CODE EXCHANGE / PKCE
defined.

BOOK A FREE
scoping call.