From IndieWeb

PKCE is short for Proof-Key for Code Exchange (pronounced "pixie"), a standard (RFC 7636) extension to OAuth 2.0 that is used by IndieAuth, that protects against intercepted authorization codes during the OAuth flow.

It allows an OAuth 2.0 token server to confirm that the client attempting to redeem an authorization code is the same client that requested it.

As of 2020-09-26, PKCE has been incorporated into the IndieAuth spec.

How it Works

  1. The client establishes its identity by generating a random secret.
  2. When the client redirects the user to the authorization server, it includes a one-way hashed version of this secret, known as the code_challenge, which the server will store, along with a code_challenge_method describing the hashing algorithm used to make the hash.
  3. After authorizing, the user returns to the client with an authorization code.
  4. When the client makes a request to redeem the authorization code for an access token, it sends along the original secret that it generated as the code_verifier.
  5. The token server verifies that the code_verifier, when hashed with the code_challenge_method, hashes to the same value as the code_challenge it received originally. If it matches, the server returns a token as normal.

Backwards Compatibility

PKCE extends OAuth flow requests with new parameters rather than introducing new values for existing ones. This allows clients to pro-actively implement PKCE without breaking compatibility with OAuth providers that do not yet support it.

IndieWeb Examples

Micropub Clients

Micropub Servers


  • indieauth-client-php supports PKCE as of 2019-03-10. If you use the simple start/finish methods it will happen transparently. If you use the manual method you will need to generate and store your own PKCE code verifier.

See Also