ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

OAuth PKCE detail

PKCE OAuth code interception protection.

Definition

PKCE flow: client generates random code_verifier (43-128 chars), computes code_challenge = BASE64URL(SHA256(code_verifier)). Sends code_challenge + code_challenge_method=S256 in Authorization Request. During token exchange, sends code_verifier. Authorization Server verifies SHA256(code_verifier) == code_challenge. Prevents replay if attacker intercepts the code.

Origin

IETF OAuth WG, RFC 7636 published September 2015, originally for mobile apps (public clients).

Usage

Mandatory for all Authorization Code flows in OAuth 2.1, FAPI 2.0, OIDC Core. Actively used by mobile SDKs (Apple ASWebAuthenticationSession, Android Chrome Custom Tabs).

Related terms

Last updated: May 18, 2026