Deepak Gupta

Proof Key for Code Exchange

PKCE.

An OAuth 2.0 extension that protects authorization code flows from interception attacks by binding the authorization request to the token exchange via a hash.

Most modern OAuth libraries default to PKCE. If you are starting a new OAuth client in 2026, you are using PKCE, explicitly or implicitly. If you have an existing OAuth 2.0 client that does not use PKCE, the migration is configuration: enable PKCE on the client, regenerate or update SDK calls to send the code_verifier on token exchange.

Common questions

Do I need PKCE for confidential clients?

How do I implement PKCE?

Is PKCE backwards-compatible with OAuth 2.0?

Related terms

In the guides

OAuth 2.1 Explained: What Changed and Why It Matters
OAuth 2.1 consolidates fifteen years of OAuth 2.0 practice into a single coherent specification. What it deprecates, what it requires, and how to migrate existing OAuth 2.0 code.