EncryptCodecencryptcodec
Tools/PKCE

PKCE Generator

Generate OAuth 2.0 PKCE code_verifier and code_challenge pairs for the Authorization Code flow with PKCE (RFC 7636).

All processing happens in your browser — nothing is sent to our servers

How PKCE Works

PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks. Step 1: generate a random code_verifier. Step 2: compute code_challenge = BASE64URL(SHA256(code_verifier)) and send it with the auth request. Step 3: send the original code_verifier when exchanging the code for tokens — the server verifies the SHA-256 matches. Required for all public clients (SPAs, mobile apps) per RFC 9700 (OAuth 2.1).

How it works
PKCE OAuth 2.0 Flow (RFC 7636)
01code_verifier

43–128 character cryptographically random URL-safe string — generated on the client and kept secret

02SHA-256 hash

SHA-256(ASCII(code_verifier)) — hashed to produce a commitment the server can verify later

03code_challenge

Base64url(SHA-256(verifier)) with no padding — sent with the /authorize request

04Auth code

Server stores the challenge, issues an authorization code tied to it

05Token exchange

Client sends code + verifier. Server: SHA-256(verifier) == stored challenge → issue tokens

Spec: RFC 7636 (PKCE), S256 challenge method

PKCE prevents authorization code interception attacks. Even if an attacker intercepts the code, they cannot exchange it without the code_verifier, which was never transmitted.

Frequently Asked Questions

Keep learning

OAuth Misconfig Simulation
See what happens without PKCE
Simulation
OAuth PKCE Guide
Why every SPA needs PKCE
Guide