⚙️

Generator Settings

Challenge Method

🔑

PKCE Values

code_verifier (43–128 random URL-safe chars — keep this secret)

code_challenge

code_challenge_method

🔗

Build Authorization URL

Authorization Endpoint URL

client_id

redirect_uri

scope

state (auto-generated random value)

📖

PKCE Flow Explained

Generate code_verifier

Client generates a cryptographically random string of 43–128 URL-safe characters (A-Z, a-z, 0-9, -, ., _, ~). This is the secret value.

code_verifier = base64url(random_bytes(32))

Derive code_challenge

For S256: compute SHA-256 of the verifier, then base64url-encode the hash (no padding). For plain: challenge equals verifier.

code_challenge = BASE64URL(SHA256(ASCII(code_verifier)))

Send authorization request

Include code_challenge and code_challenge_method in the authorization endpoint redirect. The server stores the challenge.

GET /authorize?response_type=code&code_challenge=…&code_challenge_method=S256

Receive authorization code

After user authenticates, the authorization server redirects back to redirect_uri with a short-lived authorization code.

Exchange code for tokens

Client sends the authorization code and the original code_verifier to the token endpoint. The server verifies the verifier against the stored challenge.

POST /token { code, code_verifier, grant_type=authorization_code, … }

Receive access token

If verification passes, the server issues access_token, id_token, and optionally refresh_token. The code interception attack is defeated because the attacker never had the verifier.

AquilaX Platform

Detect OAuth misconfigurations
automatically.

AquilaX detects missing PKCE implementation in OAuth flows, authorization code interception vulnerabilities, and insecure redirect_uri configurations.

Start Free → Book a Demo

PKCE Generatorfor OAuth 2.0.

Generator Settings

PKCE Values

Build Authorization URL

PKCE Flow Explained

Detect OAuth misconfigurationsautomatically.

PKCE Generator
for OAuth 2.0.

Detect OAuth misconfigurations
automatically.