Proof Key for Code Exchange (PKCE) is an optional security mechanism that you can use with the Authorization Code Grant flow.

It allows you to send either a plain, non-encoded string or an encoded string along with the authorization request. The OAuth2 service verifies this string when the client attempts to exchange the authorization code for an access token.

Using this mechanism ensures that no third party intercepts any of the calls in the Authorization Code Grant, which could comprise the security of your implementation of this flow. The recommended uses for the PKCE mechanism are mobile applications, as well as scenarios where the clients can't store secrets in a secure manner

Learn more:

  • Send feedback

    If you find any information that is unclear or incorrect, please let us know so that we can improve the Dev Portal content.

  • Get Help

    Use our private help channel. Receive updates over email and contact our specialists directly.

  • hybris Experts

    If you need more information about this topic, visit hybris Experts to post your own question and interact with our community and experts.