STANDARD

pkce — Primer

PKCE (RFC 7636) protects the authorization code flow by binding the code to a one‑time verifier, preventing code interception on public clients.

← All standards

Why it matters

Standards reduce risk and vendor lock‑in. We implement this spec across our Studios and runtime so policy is portable.

Where it’s enforced

Gateway: pre‑execution gating (plan/schema pins, params/egress)
Shield: inline budgets/stream caps/content checks
PDP: decisions with constraints/obligations/TTL
IdP: passports, token exchange, consent/DPoP

How it works (high level)

PKCE (RFC 7636) mitigates code interception. Prefer code_challenge_method=S256. Verifier length MUST be 43–128 characters; its lifetime MUST NOT exceed the auth code lifetime.

mermaid
sequenceDiagram
  autonumber
  participant UA as Browser
  participant Client
  participant AS as Authorization Server
  UA->>AS: /authorize (code_challenge=S256)
  AS-->>UA: 302 code
  Client->>AS: /token (code_verifier)
  AS-->>Client: access_token

References

RFC 7636: PKCE

← OpenID Connect (OIDC)

All standards

Rich Authorization Requests (RAR) →