---
title: PKCE parameters
description: For added security, you can also include Proof Key for Code Exchange (PKCE) parameters in the authorization request for the code and hybrid grant types. PKCE for OAuth uses either plain text or a cryptographic hash of a random string that is included in the authorization request (code_challenge) along with the encoding method used (code_challenge_method). When the authorization code is issued in the response, the original plain text or random string (code_verifier) is included in the token request. For PKCE authentication flows, the tokenEndpointAuthMethod property on the application must be set to NONE.
component: pingone-api
page_id: pingone-api:foundations:authentication-concepts/authorization-flow-by-grant-type/pkce-parameters
canonical_url: https://developer.pingidentity.com/pingone-api/foundations/authentication-concepts/authorization-flow-by-grant-type/pkce-parameters.html
---

# PKCE parameters

For added security, you can also include Proof Key for Code Exchange (PKCE) parameters in the authorization request for the code and hybrid grant types. PKCE for OAuth uses either plain text or a cryptographic hash of a random string that is included in the authorization request (`code_challenge`) along with the encoding method used (`code_challenge_method`). When the authorization code is issued in the response, the original plain text or random string (`code_verifier`) is included in the token request. For PKCE authentication flows, the `tokenEndpointAuthMethod` property on the application must be set to `NONE`.

**Step 1:** Send an authorize request to the PingOne authorization server.

```bash
curl --location --request GET '{{authPath}}/{{envID}}/as/authorize?response_type=code&client_id={{appID}}&redirect_uri={{redirect_uri}}&scope=openid&code_challenge={{codeChallenge}}&code_challenge_method=S256'
```

The request requires the following properties in the request URL:

* `response_type`: For an authorization\_code grant the response type is `code`.

* `client_id`: The application's ID.

* `redirect_uri`: The URL to redirect the browser after sign on.

* `scope`: The permissions that specify accessible resources.

* `code_challenge`: A string that is computed from the code\_verifier that is used in a Proof Key for Code Exchange (PKCE) authorization request.

* `code_challenge_method`: A string that specifies the computation logic used to generate the code\_challenge string.

|   |                                                                                                                                                         |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | The `code_challenge_method` parameter is required if the application's `pkceEnforcement` property is set to `S256_REQUIRED`. Otherwise, it is optional. |

For more information about the PKCE query parameters that can be set on the request, refer to [Authorize (authorization\_code)](../../../auth/openid-connect-oauth-2/authorize-authorization_code.html#get-authorize-authorization_code-get) in *Platform Auth APIs*.

**Step 2:** After the sign-on flow completes, call the resume endpoint.

```bash
curl --location --request GET '{{authPath}}/{{envID}}/as/resume?flowId={{flowID}}' \
--header 'Cookie: {{sessionToken}}'
```

The request requires the following properties in the request URL:

* `flowID`: The ID for the authentication flow.

The `Location` HTTP header returned by the resume endpoint contains the code. Note that the PingOne API uses session token cookies to establish the user's authentication session and maintain the session throughout the workflow, allowing the flow to redirect back to the authorization server to get the token.

**Step 3:** Call the token endpoint to exchange the authorization code for a token.

```bash
curl --location --request POST '{{authPath}}/{{envID}}/as/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code={{authCode}}' \
--data-urlencode 'redirect_uri={{redirect_uri}}' \
--data-urlencode 'client_id={{appID}}' \
--data-urlencode 'code_verifier={{codeVerifier}}'
```

The request requires the following properties in the request URL:

* `grant_type`: The grant type of the token request. In this example, the value is `authorization_code`.

* `code`: The authorization code value returned by the resume endpoint.

* `redirect_uri`: The URL that specifies the return entry point of the application.

* `client_id`: The application's ID.

* `code_verifier`: A string used to verify the `code_challenge` value submitted in the authorization request.

The token request transforms the `code_verifier` property value using the `code_challenge_method` specified in the authorize request. If the transformed `code_verifier` value is equal to the `code_challenge` value submitted in the authorize request, then the authorization server issues the token.

For information about additional parameters supported by the authorization code token request, refer to [Token](../../../auth/openid-connect-oauth-2/token-intro.html) in *Platform Auth APIs*.