What is PKCE?

PKCE, pronounced pixy and standing for Proof Key for Code Exchange, is a security extension to the OAuth authorization-code flow, and it is mandatory in OAuth 2.1, the profile MCP authorization builds on. It protects against authorization-code interception: an attacker who manages to capture the code as it returns to the client still cannot exchange it for a token. The mechanism is simple. Before starting the flow the client generates a random secret called the code verifier, hashes it into a code challenge, and sends only the challenge with the initial authorization request. The authorization server remembers the challenge and issues a code as usual. When the client later exchanges that code for tokens, it must present the original verifier; the server hashes it and checks it matches the challenge it stored. Because the verifier never traveled over the redirect, a stolen code is useless without it. PKCE originally targeted mobile and single-page apps that cannot keep a client secret, but OAuth 2.1 now requires it for all clients, so every MCP client doing OAuth, including ones using Dynamic Client Registration, runs PKCE as part of sign-in.