Overview
PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks. Grantex supports the S256 challenge method as defined in RFC 7636. The SDK provides ageneratePkce() helper that generates a cryptographically secure code verifier and its corresponding S256 challenge.
Import
Grantex client instance. It uses Node.js crypto under the hood.
generatePkce()
Response: PkceChallenge
A 32-byte random value encoded as base64url. Keep this secret — it is used in the token exchange step.
The SHA-256 hash of
codeVerifier, encoded as base64url. This is sent in the authorize request.Always
'S256'.Full PKCE flow
Step 1: Generate the PKCE pair
Step 2: Authorize with the code challenge
Step 3: Exchange with the code verifier
Security considerations
- The
codeVerifiermust be stored server-side (e.g. in a session or encrypted cookie). Never expose it to the client. - Each PKCE pair is single-use. Generate a new pair for every authorization flow.
- The S256 method is mandatory — plain challenge methods are not supported.