Skip to content

PKCE

Spicy — senior dev territorySecurity

ELI5 — The Vibe Check

PKCE (pronounced 'pixy') prevents someone from stealing your OAuth authorization code and using it. Before starting the OAuth flow, your app creates a secret puzzle. After getting the auth code, it proves it made the original puzzle. An interceptor can't solve the puzzle. Now required for ALL OAuth flows.

Real Talk

PKCE is an OAuth 2.0 extension that mitigates authorization code interception attacks. The client generates a random code_verifier, sends its hash (code_challenge) in the authorization request, and presents the original code_verifier when exchanging the code for tokens. The server verifies the relationship.

When You'll Hear This

"PKCE is mandatory for public clients — SPAs and mobile apps must use it." / "Even confidential clients should use PKCE as defense in depth."

Related Terms

Access Token

An Access Token is your short-lived pass to access an API. It proves you're authenticated and what you're allowed to do.

beginnerSecurity

OAuth (Open Authorization)

OAuth is the system behind 'Login with Google.' Instead of making a new account, you let Google vouch for you.

intermediateBackend
Back to Browse Random Term

Made with passive-aggressive love by manoga.digital. Powered by Claude.