PKCE (Proof Key for Code Exchange)

An OAuth 2.0 security extension (RFC 7636) that prevents authorization code interception attacks in public clients. Before the authorization request, the client generates a random code verifier and derives a code challenge from it. The challenge is sent with the authorization request; the verifier is sent during the token exchange. Only the client that initiated the request can complete the exchange, making PKCE mandatory for SPAs and mobile apps.