S256 (Recommended)
SHA-256 hash of the code_verifier. More secure and recommended for all clients.
Plain
Code challenge equals code verifier. Only use if S256 is not supported.
-
Length: 0 characters. Store this securely - you'll need it for the token request.
-
Method: S256. Include this in your authorization request.
-
How PKCE Works
1
Generate code_verifier
Create a cryptographically random string (43-128 characters)
2
Create code_challenge
For S256: BASE64URL(SHA256(code_verifier)). For plain: code_challenge = code_verifier
3
Authorization Request
Include code_challenge and code_challenge_method in the authorization URL
4
Token Request
Include the original code_verifier when exchanging the authorization code for tokens
5
Server Verification
The authorization server verifies that SHA256(code_verifier) matches the original code_challenge