Calimatic
Back to blog
Security
6 min read

OAuth 2.0 with PKCE: What It Is and Why You Need It

PKCE is no longer optional. Learn how Proof Key for Code Exchange protects your OAuth flows and how Calimatic Identity implements it.

If you're implementing OAuth 2.0 in 2026, PKCE (Proof Key for Code Exchange) isn't optional — it's essential. The OAuth 2.1 specification makes PKCE mandatory for all authorization code flows, and for good reason.

The Problem with Authorization Code Alone

The classic OAuth 2.0 authorization code flow works like this: your app redirects the user to the authorization server, the user authenticates, and the server redirects back with an authorization code. Your app then exchanges that code for tokens.

The vulnerability? That authorization code travels through the browser's URL bar. On mobile devices and public clients, an attacker can intercept the redirect and steal the code. Since the authorization server can't verify who's exchanging the code, the attacker gets the tokens.

How PKCE Fixes This

PKCE adds a simple but effective layer of protection:

  1. Before the redirect, your app generates a random string called a code_verifier and computes its SHA-256 hash, called the code_challenge.
  1. During the authorization request, your app sends the code_challenge to the server.
  1. During the token exchange, your app sends the original code_verifier. The server hashes it and compares — if it matches the original challenge, the exchange succeeds.

An attacker who intercepts the authorization code can't complete the exchange because they don't have the code_verifier — it never left the client.

PKCE in Calimatic Identity

Our OAuth2/OIDC server enforces PKCE on all authorization code flows by default. Here's what that means for you:

  • Public clients (SPAs, mobile apps) must use PKCE. We reject authorization requests from public clients without a code challenge.
  • Confidential clients (server-side apps) are strongly encouraged to use PKCE. It's defense-in-depth even when you have a client secret.
  • Supported methods: We support both S256 (recommended) and plain code challenge methods, though S256 is enforced for production use.

Implementation Example

Here's a minimal example of the PKCE flow with our authorization server:

Step 1: Generate the code verifier and challenge

const codeVerifier = generateRandomString(128);
const codeChallenge = base64url(sha256(codeVerifier));

Step 2: Include the challenge in the authorization request

GET /api/v1/oidc/authorize?
  response_type=code&
  client_id=your-client-id&
  redirect_uri=https://your-app.com/callback&
  code_challenge=<code_challenge>&
  code_challenge_method=S256&
  scope=openid profile email

Step 3: Include the verifier in the token exchange

POST /api/v1/oidc/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=<authorization_code>&
redirect_uri=https://your-app.com/callback&
client_id=your-client-id&
code_verifier=<code_verifier>

The Bottom Line

PKCE is simple to implement and dramatically improves the security of your OAuth flows. With Calimatic Identity, it's enabled by default — no configuration required. Check our integration guide for complete examples in Next.js, React, and other frameworks.

Ready to get started?

Create a free account and start managing identities in minutes.

Get Started FreeRead the Docs