Home
Back to Glossary

PKCE

Pages
1
References
1
Related Terms
3

Definition

PKCE is an OAuth extension that uses a code verifier and code challenge to protect Authorization Code Flow against code interception.

Background

Defined in RFC 7636, it became especially important for mobile apps and browser-based clients that cannot safely hold a client secret.

Position

It is the concrete mechanism that strengthens OAuth 2.1 and MCP authorization flows.

Distinctions

  • PKCE is not an authentication protocol; it strengthens OAuth Authorization Code Flow.
  • It can be used with OIDC, but it is not OIDC itself.
External Reference RFC 7636: Proof Key for Code Exchange Standard

Primary source-backed reference selected for this concept.

A concept map for PKCE.

Page Context

Pages