OAUTH-PKCE
Secure OAuth Authorization Code for public clients.
Definition
PKCE generates code_verifier (random 43-128 chars) and code_challenge = SHA256(verifier) base64url. The client sends code_challenge to authorization, then code_verifier to token endpoint. The server verifies SHA256. Mandatory in OAuth 2.1.
Origin
RFC 7636 published September 2015 by Nat Sakimura, John Bradley, Naveen Agarwal.
Example in context
A mobile EDI app consumes a B2B API via Authorization Code + PKCE, with no embedded client secret.
Related terms
- OAuth 2.1 — mandatory in.