Skip to main content

Overview

PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks. Grantex supports the S256 challenge method as defined in RFC 7636. The SDK provides a generatePkce() helper that generates a cryptographically secure code verifier and its corresponding S256 challenge.

Import

This function does not require a Grantex client instance. It uses Node.js crypto under the hood.

generatePkce()

Response: PkceChallenge

codeVerifier
string
A 32-byte random value encoded as base64url. Keep this secret — it is used in the token exchange step.
codeChallenge
string
The SHA-256 hash of codeVerifier, encoded as base64url. This is sent in the authorize request.
codeChallengeMethod
'S256'
Always 'S256'.

Full PKCE flow

Step 1: Generate the PKCE pair

Step 2: Authorize with the code challenge

Step 3: Exchange with the code verifier

If a codeChallenge was provided in the authorize step, the codeVerifier is required in the exchange step. The server will reject the request if the verifier does not match the original challenge.

Security considerations

  • The codeVerifier must be stored server-side (e.g. in a session or encrypted cookie). Never expose it to the client.
  • Each PKCE pair is single-use. Generate a new pair for every authorization flow.
  • The S256 method is mandatory — plain challenge methods are not supported.
Last modified on February 28, 2026