How to Generate PKCE Values for OAuth
PKCE Generation
What is PKCE?
Proof Key for Code Exchange (PKCE, RFC 7636) protects OAuth 2.0 authorization code flows. The client generates a code_verifier, derives a code_challenge, and sends the challenge with the authorize request. The verifier is sent during token exchange.
S256 vs plain
S256 (recommended) hashes the verifier with SHA-256 and Base64URL-encodes the result. Plain sends the verifier as the challenge — only use when the authorization server requires it.
OAuth Flow
- Generate code_verifier and code_challenge
- Redirect user to authorize URL with code_challenge and code_challenge_method
- Exchange authorization code for tokens with code_verifier
Frequently asked questions
Should I use S256 or plain?
Use S256 unless your OAuth provider explicitly requires plain. S256 is the industry standard and more secure.
Can I provide my own code_verifier?
Yes. Paste a verifier between 43 and 128 characters using unreserved URI characters [A-Za-z0-9-._~], or leave empty to auto-generate one.