Glen

Join the waitlist

We onboard teams in waves. Leave your work email and we'll send your invite when your spot opens.

What is PKCE?

PKCE (Proof Key for Code Exchange) is an OAuth 2.1 extension that stops stolen authorization codes from being redeemed, by binding the code to a secret the client proves it knows at token exchange.

PKCE, pronounced pixy and standing for Proof Key for Code Exchange, is a security extension to the OAuth authorization-code flow, and it is mandatory in OAuth 2.1, the profile MCP authorization builds on. It protects against authorization-code interception: an attacker who manages to capture the code as it returns to the client still cannot exchange it for a token. The mechanism is simple. Before starting the flow the client generates a random secret called the code verifier, hashes it into a code challenge, and sends only the challenge with the initial authorization request. The authorization server remembers the challenge and issues a code as usual. When the client later exchanges that code for tokens, it must present the original verifier; the server hashes it and checks it matches the challenge it stored. Because the verifier never traveled over the redirect, a stolen code is useless without it. PKCE originally targeted mobile and single-page apps that cannot keep a client secret, but OAuth 2.1 now requires it for all clients, so every MCP client doing OAuth, including ones using Dynamic Client Registration, runs PKCE as part of sign-in.