PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks by binding the code to a verifier known only to the client. It is required for public clients (SPAs, mobile apps) that cannot securely store a client secret. As of OAuth 2.1, PKCE is recommended for all authorization code flows regardless of client type.
PKCE prevents authorization code injection — an intercepted code is useless without the code_verifier.
Required for SPAs and mobile apps — these are public clients that cannot securely store a client_secret.
S256 method — code_challenge = BASE64URL(SHA256(ASCII(code_verifier))); always use S256, not plain.
state parameter prevents CSRF attacks — always include it alongside PKCE.
OAuth 2.1 requires PKCE for all authorization code flows — treat it as mandatory for all new implementations.