PKCE Generator

Developer

Generate PKCE (Proof Key for Code Exchange) code verifier and code challenge pairs for OAuth 2.0 / 2.1 authorization flows.

Options

43 (min)128 (max)

About PKCE

PKCE (Proof Key for Code Exchange, RFC 7636) prevents authorization code interception attacks. It is mandatory in OAuth 2.1 for all clients.

  • code_verifier - A random string (43-128 chars) sent with the token exchange request
  • code_challenge - SHA-256 hash of the verifier, sent with the authorization request
  • S256 method - Always prefer S256 over plain for security

What is This Tool?

A PKCE generator creates code verifier and code challenge pairs for OAuth 2.0 Proof Key for Code Exchange flows. PKCE (pronounced "pixie") prevents authorization code interception attacks in public clients like mobile apps and single-page applications.

PKCE works by generating a random code_verifier (43-128 characters), computing its SHA-256 hash as the code_challenge, and sending the challenge with the auth request. When exchanging the code for tokens, the original verifier is sent and the server re-hashes to verify the match.

Common Use Cases

OAuth Implementation

Generate PKCE pairs for implementing OAuth 2.0 authorization code flow with PKCE in SPAs, mobile apps, and CLI tools.

Auth Provider Testing

Test PKCE validation in OAuth servers like Auth0, Okta, Keycloak, and custom authorization servers.

Security Auditing

Verify that your OAuth implementation correctly validates PKCE challenges and rejects invalid verifiers.

API Gateway Testing

Test PKCE-enforced API gateways and token endpoints with properly generated challenge/verifier pairs.

Frequently Asked Questions

What is the code_verifier format?

A cryptographically random string, 43-128 characters long, using unreserved URL characters (A-Z, a-z, 0-9, -, ., _, ~).

How is the code_challenge computed?

code_challenge = BASE64URL(SHA256(code_verifier)). The method S256 (SHA-256) is recommended; plain (no hashing) is a less secure fallback.

Is PKCE required?

OAuth 2.1 (draft) requires PKCE for all clients. OAuth 2.0 recommends it for public clients. Many providers (Auth0, Okta) already enforce it.