Learn how the Authorization Code flow with Proof Key for Code Exchange (PKCE) works and why you should use it for native and mobile apps.

PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps …

Apr 30, 2025 · PKCE is mandatory in OAuth 2.1. It’s no longer optional—it’s the new standard. What is PKCE? PKCE, pronounced “pixie,” is a security extension for OAuth 2.0’s Authorization Code flow. …

Jan 9, 2026 · Protocol reference for the Microsoft identity platform's implementation of the OAuth 2.0 authorization code grant

PKCE, which stands for “Proof of Key Code Exchange” and is pronounced “pixy,” is an extension of the OAuth 2.0 protocol that helps prevent code interception attacks. OAuth 2.0 allows users to share …

OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against …

Oct 2, 2025 · What Is PKCE? PKCE (Proof Key for Code Exchange) is a security extension to OAuth 2.0 that protects the Authorization Code flow from interception attacks—especially for public clients like …

Enabling PKCE for an External Client App requires setting an option on the connection in the org settings. For information on the configuration steps to follow for each External Client App, please …

Sep 13, 2019 · PKCE is short for Proof Key for Code Exchange. It is a mechanism that came into being to make the use of OAuth 2.0 Authorization Code grant more secure in certain cases. Why PKCE? …

PKCE Code Generator for OAuth 2.0. Number of Random Bytes to Use to Generate Code Verifier