PKCE Generator

Generate code_verifier and code_challenge pairs for secure OAuth2 authorization flows

Challenge Method

Verifier Length 43–128 characters (RFC 7636)

code_verifier

Click generate to create a PKCE pair

code_challenge

—

code_challenge_method

—

Usage in Authorization Request

Generate a pair first to see the example

Security Note: All values are generated entirely in your browser using the Web Crypto API. Nothing is sent to any server.

Understanding PKCE

Why Proof Key for Code Exchange matters for OAuth2 security

What is PKCE?

PKCE (Proof Key for Code Exchange) is an extension to OAuth2 that prevents authorization code interception attacks. It is now recommended for all OAuth2 clients, including server-side applications.

How It Works

The client generates a random code_verifier and derives a code_challenge. The challenge is sent with the authorization request, and the verifier is sent when exchanging the code for tokens.

S256 vs Plain

S256 applies a SHA-256 hash to the verifier, providing protection even if the challenge is intercepted. The plain method sends the verifier as-is and should only be used when S256 is not supported.

Implementing OAuth2 with PKCE?

AuthAction supports PKCE out of the box for all OAuth2 and OpenID Connect flows.

Frontend Authentication Contact Us