OAuth 2.0 PKCE

Expanded Definition

OAuth 2.0 PKCE, pronounced “pixy,” is an extension to the OAuth 2.0 authorization code flow that binds the code exchange to the same client that initiated it. The client creates a high-entropy code verifier, derives a code challenge, and presents that challenge during authorization. When the authorization server later returns the code, the client must present the original verifier to redeem it.

This matters in NHI and agentic access patterns because native apps, mobile apps, and other public clients cannot safely store a client secret. PKCE reduces the value of intercepted authorization codes and is now a standard mitigation in modern public-client OAuth design, as reflected in RFC 7636. Guidance across vendors is broadly aligned, but implementation details still vary, especially around redirect handling, app-to-app handoff, and token lifetime.

PKCE is not a replacement for consent, token hygiene, or redirect URI validation. It is a transport binding mechanism for the authorization code leg of the flow, not a full identity assurance model. The most common misapplication is treating PKCE as sufficient protection for any OAuth client, which occurs when teams skip secret management, redirect hardening, and app integrity checks for public clients.

Examples and Use Cases

Implementing PKCE rigorously often introduces a small amount of client-side complexity, requiring organisations to weigh better code-exchange protection against more careful app and session design.

• A mobile banking app initiates OAuth without embedding a client secret, using PKCE to protect the authorization code even if the device network path is observed.
• A desktop agent that opens the system browser for sign-in uses PKCE so the callback code cannot be replayed by another process on the same host.
• A SaaS integration that relies on third-party authorization follows PKCE alongside redirect URI allowlisting to reduce the risk of code interception and token theft.
• An incident review references the Salesloft OAuth token breach to show how OAuth misbinding and weak governance can amplify downstream access once tokens are issued.
• Security architects compare PKCE-enabled public clients with browser-based guidance in NIST Cybersecurity Framework 2.0 to align authentication hardening with broader access control objectives.

PKCE also appears in recovery and containment workflows when organizations need to distinguish whether an intercepted code, a stolen refresh token, or a compromised device caused the access event.

Why It Matters in NHI Security

PKCE is relevant to NHI security because many machine-facing and app-mediated identities are created through OAuth flows that do not involve a human sitting in front of a browser. If PKCE is omitted or incorrectly implemented, intercepted authorization codes can be exchanged for access tokens, creating a direct path into API-backed business systems, collaboration platforms, and connected vendor services.

This is especially important given that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security by Astrix Security & CSA. That visibility gap means OAuth abuse can remain hidden until unusual API activity, data exfiltration, or tenant-to-tenant access is already underway. NHIMG also reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, reinforcing that oauth token and authorization flows belong in the NHI threat model.

Organisations typically encounter the operational importance of PKCE only after token misuse, app impersonation, or a breached integration forces them to trace how an authorization code was obtained and redeemed.

Related resources from NHI Mgmt Group

• OAuth Connected App
• How should security teams implement PKCE across OAuth clients?
• How does OAuth 2.0 work for NHIs and what are its limitations?
• What is OpenID Connect (OIDC) and how does it extend OAuth 2.0 for NHIs?