---
title: PKCE Authorization Code Flow
description: In some cases, as with applications on native devices, the use of an authorization code grant can be compromised by authorization code interception attacks. The attacking application gains access to the client secret, intercepts the authorization code, and is able to exchange the intercepted authorization code for an access token.
component: pingone-api
page_id: pingone-api:workflow-library:platform-sso-and-authorization/openid-connect-oidc/pkce-authorization-code-flow
canonical_url: https://developer.pingidentity.com/pingone-api/workflow-library/platform-sso-and-authorization/openid-connect-oidc/pkce-authorization-code-flow.html
section_ids:
  workflow-tasks: Workflow tasks
  prerequisites: Prerequisites
---

# PKCE Authorization Code Flow

In some cases, as with applications on native devices, the use of an authorization code grant can be compromised by authorization code interception attacks. The attacking application gains access to the client secret, intercepts the authorization code, and is able to exchange the intercepted authorization code for an access token.

Proof Key for Code Exchange (PKCE) authorization requests specify additional parameters in the request to prevent malicious apps from intercepting the authorization code. PKCE uses a random key, a `code_verifier`, that is used to compute a `code_challenge` parameter, which functions like a temporary application secret (unique to a single token request). PKCE works as follows:

1. The client creates and records a `code_verifier` secret, which is a random value between 43 and 128 characters in length.

2. The client uses the `code_verifier` value to compute the `code_challenge` value. The `code_challenge_method` is the transformation method that creates the `code_challenge` value. This parameter value is also recorded.

3. The authorization request includes the `code_challenge` and in some cases the `code_challenge_method` parameter values in the request. The `code_challenge_method` is an optional parameter. It defaults to `plain` if not specified (which generates an error when the `S256_REQUIRED` PKCE enforcement option is specified by the application).

4. The authorization server records the `code_challenge` and the `code_challenge_method` parameter values, and responds by issuing the authorization code.

5. The client sends the authorization code to the `/{{envID}}/as/token` endpoint. The token request requires the `code_verifier` secret created in step 1.

6. The authorization server uses the `code_challenge_method` to transform the `code_verifier` value and compare it to the `code_challenge` value submitted and recorded in the authorize request.

7. If these values are equal, an access token is granted. If they are not equal, access is denied.

## Workflow tasks

This scenario illustrates the following operations supported by the PingOne APIs:

* Create an application and set its `pkceEnforcement` property.

* Create an authorization request that includes `code_challenge` and `code_challenge_method` parameter values.

* Create a token request that includes the `code_verifier` secret.

## Prerequisites

Get an access token from the worker application that you created in [Create an admin Worker app connection](../../../getting-started/create-an-admin-worker-app.html). To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. For more information, refer to [Get a PingOne admin access token](../../../getting-started/create-a-test-environment/step-1-get-access-token.html).

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Before you begin this activity, you must create the `code_verifier` value and use it to compute the `code_challenge` value. The Postman collection uses a script to create these values and write them to your Postman environment. If you choose to create these values manually, you can use the [PingOne PKCE Code Generator](https://developer.pingidentity.com/en/tools/pkce-code-generator.html) and record your values as variables in your Postman environment. This scenario uses the `S256_REQUIRED` PKCE enforcement option for illustrative purposes only. You can also use the `REQUIRED` option, which specifies that a PKCE `code_challenge` is required and any code challenge method is acceptable. For more information, refer to [RFC7636](https://tools.ietf.org/html/rfc7636#section-4.1). |

Click the **Run in Postman** button below to fork, or download and import, the Postman collection for this workflow to your workspace.

[Run in Postman](https://god.gw.postman.com/run-collection/18568624-4c6f9f73-7082-4ea9-ad30-a1313cecc21d?action=collection%2Ffork\&source=rip_markdown\&collection-url=entityId%3D18568624-4c6f9f73-7082-4ea9-ad30-a1313cecc21d%26entityType%3Dcollection%26workspaceId%3D3550b170-7818-4801-b1eb-dcb7b3f64263#?env%5BPingOne%20Workflow%20Library%20Template%20%28release%3A%202025-04-17%29%5D=W3sia2V5IjoidGxkIiwidmFsdWUiOiJjb20iLCJlbmFibGVkIjp0cnVlLCJ0eXBlIjoiZGVmYXVsdCJ9LHsia2V5IjoiYXV0aFBhdGgiLCJ2YWx1ZSI6Imh0dHBzOi8vYXV0aC5waW5nb25lLnt7dGxkfX0iLCJlbmFibGVkIjp0cnVlLCJ0eXBlIjoiZGVmYXVsdCJ9LHsia2V5IjoiYXBpUGF0aCIsInZhbHVlIjoiaHR0cHM6Ly9hcGkucGluZ29uZS57e3RsZH19L3YxIiwiZW5hYmxlZCI6dHJ1ZSwidHlwZSI6ImRlZmF1bHQifSx7ImtleSI6ImFkbWluRW52SUQiLCJ2YWx1ZSI6IiIsImVuYWJsZWQiOnRydWUsInR5cGUiOiJkZWZhdWx0In0seyJrZXkiOiJhZG1pbkFwcElEIiwidmFsdWUiOiIiLCJlbmFibGVkIjp0cnVlLCJ0eXBlIjoiZGVmYXVsdCJ9LHsia2V5IjoiYWRtaW5BcHBTZWNyZXQiLCJ2YWx1ZSI6IiIsImVuYWJsZWQiOnRydWUsInR5cGUiOiJkZWZhdWx0In0seyJrZXkiOiJlbnZJRCIsInZhbHVlIjoiIiwiZW5hYmxlZCI6dHJ1ZSwidHlwZSI6ImRlZmF1bHQifV0=)