RFC 7636 — Proof Key for Code Exchange (PKCE)

Spec: datatracker.ietf.org/doc/html/rfc7636Status: Full

RFC 7636 binds an authorization code to the client that requested it, mitigating code interception attacks. It is required for public clients (SPAs, native apps) and recommended for all clients.

Implemented

code_challenge / code_challenge_method — accepted on /authorize requests.
S256 — SHA-256 challenge method (recommended and used by default by AuthHero's SDKs).
plain — supported for compatibility; clients should prefer S256.
code_verifier — validated at the token endpoint against the challenge bound to the authorization code.
Mandatory for public clients — public clients cannot exchange a code without PKCE.
Optional for confidential clients — supported and encouraged even when client authentication is already present.

SPA Authentication
Authentication Flows

UI Widget

SAML Package

Multi-Tenancy Package

RFC 7636 — Proof Key for Code Exchange (PKCE)

Implemented

RFC 7636 — Proof Key for Code Exchange (PKCE) ​

Implemented ​

Related AuthHero documentation ​

RFC 7636 — Proof Key for Code Exchange (PKCE)

Implemented

Related AuthHero documentation