Also known as: Proof Key for Code Exchange, PKCE flow
Definition
PKCE (Proof Key for Code Exchange) is the OAuth 2.1 flow that prevents authorization-code interception by browser-based clients. The client generates a verifier, hashes it into a challenge, sends the challenge with the auth request, and presents the original verifier at the code-exchange step. An attacker who steals the code alone cannot complete the exchange.
PKCE is the OAuth flow used by clients that cannot keep a secret, which includes browsers and mobile apps. Before initiating the OAuth redirect, the client generates a random code_verifier and a code_challenge (SHA-256 hash of the verifier). The challenge travels with the authorization request; the verifier stays in cookie storage on the originating client.
When the authorization server returns the auth code, the client posts both the code AND the verifier back. The server hashes the verifier and compares to the stored challenge. Mismatched values reject the exchange.
The authorization code travels through URL parameters, referer headers, browser history, and server logs. Any of those can leak the code. Without PKCE, an attacker with the code can complete the exchange themselves. With PKCE, the code is useless without the verifier, and the verifier never appears in any URL.
In Supabase, @supabase/ssr uses PKCE for all OAuth and magic-link flows automatically. The older implicit flow that sent tokens directly in URL fragments is deprecated.