javascript 12 lines · 1 tab

OAuth 2.0 Authorization Code with PKCE for public clients

Kai Nakamura Apr 2026
1 tab
import { sha256 } from './crypto.js';

const codeVerifier = crypto.randomUUID() + crypto.randomUUID();
sessionStorage.setItem('pkce_verifier', codeVerifier);

const digest = await sha256(codeVerifier);
const codeChallenge = btoa(String.fromCharCode(...new Uint8Array(digest)))
  .replace(/\+/g, '-')
  .replace(/\//g, '_')
  .replace(/=+$/, '');

location.href = `https://auth.example.com/oauth/authorize?response_type=code&client_id=spa-client&code_challenge_method=S256&code_challenge=${codeChallenge}`;
1 file · javascript Explain with highlit

For browser and mobile clients, PKCE closes an important hole in the classic authorization code flow. I use it by default with public clients, require exact redirect URI matching, and keep token exchange on TLS only. This is one of those cases where the secure default should also be the ergonomic default.

Share this code

Here's the card — post it anywhere.

OAuth 2.0 Authorization Code with PKCE for public clients — share card
Link copied