Authorization Code Flow + PKCE

The Authorization Code Flow + Proof Key for Code Exchange (PKCE) is an OpenId Connect flow specifically designed to authenticate native or mobile application users.

Note: This flow is considered the best practice when using Single Page Apps (SPA) or Mobile Apps.

The primary difference between the PKCE flow and the standard Authorization Code flow is that users aren’t required to provide a client_secret. PKCE reduces security risks for native apps, as embedded secrets aren’t required in the source code. This minimizes the exposure to reverse engineering security threats.

How it Works?

The client app creates a unique string value which replaces the client_secret and also a code_verifier which it hashes and encodes as a code_challenge. When the client app initiates the first part of the Authorization Code flow, it sends a hashed code_challenge.

Once the user authenticates and the authorization code is returned to the client app, it requests an access_token in exchange for the authorization code.

Here, the client app must include the original unique string value in the code_verifier parameter. If the two codes match, the authentication is complete and an access_token is returned.

Authorization Code Flow + PKCE using API


Get the code_challenge and code_verifier from one of online sites and pass these values in the authz url and API request. Many OpenId Connect client libraries resolve the code challenge and verification, but if you’re building your own solution, the OpenId Connect provider expects this.


  • Create a unique string with the below code. This acts as your code_verifier. We recommend you store the code_verified, as it’s needed for the second request in the Authorization Code flow.
var code_verifier = 'some-random-string'
  • Create a SHA256 hash of the code_verifier and base64 url encode it. This is your code_challenge, send it with code_challenge_method=S256 when you request the initial Authorization Code.

const crypto = require('crypto')
const base64url = require('base64url')

var hash = crypto.createHash('sha256').update(code_verifier).digest();
var code_challenge = base64url.encode(hash)

Steps to Get the Challenge Code for the API Request

  1. Open the following URL in your browser.


This URL is used to verify the Authorization Code Flow With PKCE.

  1. Login to a user account that is registered.

  2. After successful authentication, the code is generated in the request shown below.


Note: Here the code is ea2707b0-1bb3-49de-9d32-4c5aa79722ad.

  1. Extract the code and retain it.

  2. Use the Curl command shown below to get access token and other information.

curl --location -g --request POST '{{baseurl}}/token-srv/token' 
--header 'Content-Type: application/x-www-form-urlencoded' 
--data-urlencode 'grant_type=authorization_code' 
--data-urlencode 'client_id={client_ID}' 
--data-urlencode 'code={code_obtained_in_previous_step}' 
--data-urlencode 'redirect_uri=https://yourdomain/user-profile/editprofile' 
--data-urlencode 'code_verifier=7RTGpnRYR64SHYWqOw125Hk8PnjpP0hfrdOXU9_oMQ0'
Note: Enter the challenge code and code verifier in the body of the above request in the API.

Need further assistance?

Please contact our Developer Support Team.

results matching ""

    No results matching ""