Technical

PKCE: why it matters for native and SPA apps

Jan 17, 2026

PKCE: Why It Matters for Native and SPA Apps

In the world of modern web applications, the OAuth2 protocol has become the de facto standard for secure authentication and authorization. However, for native applications and Single Page Applications (SPAs), the traditional OAuth2 flow presents significant challenges. This is where PKCE (Proof Key for Code Exchange) comes into play.

What is PKCE?

PKCE is an extension to the OAuth2 authorization code flow that allows public clients to authenticate themselves without the need for a client secret. This is particularly important for native and SPA applications, which often lack the ability to securely store and manage client secrets.

Key Insight: Public clients cannot keep secrets. PKCE protects the OAuth2 authorization code flow for apps that can't use client secrets.

Why PKCE Matters for Native and SPA Apps

Native applications and SPAs typically run in the browser and do not have access to secure storage mechanisms. This makes them vulnerable to attacks such as man-in-the-middle (MITM) and token leakage. PKCE addresses these vulnerabilities by introducing a mechanism that allows the client to prove its identity without the need for a client secret.

Let's look at how PKCE works in practice:

  • Step 1: The client generates a random string, known as the "code verifier."
  • Step 2: The client creates a "code challenge" by hashing the code verifier using a specific algorithm (e.g., SHA-256).
  • Step 3: The client sends the code challenge as part of the authorization request.
  • Step 4: The authorization server responds with an authorization code.
  • Step 5: The client uses the code verifier to exchange the authorization code for an access token.

This process ensures that even if an attacker intercepts the authorization code, they cannot use it to gain access to the application's resources without the code verifier.

Implementing PKCE in Practice

Let's look at a code example for implementing PKCE in a native or SPA application:


      // Generate a random code verifier
      const codeVerifier = 'randomstring1234567890';
      
      // Create a code challenge by hashing the code verifier
      const codeChallenge = 'sha256(' + codeVerifier + ')';
      
      // Send the authorization request with the code challenge
      const response = await fetch('https://auth-server.com/authorize', {
        method: 'POST',
        body: new URLSearchParams({
          client_id: 'your_client_id',
          redirect_uri: 'your_redirect_uri',
          scope: 'your_scope',
          code_challenge: codeChallenge
        })
      });
      
      // Exchange the authorization code for an access token
      const tokenResponse = await fetch('https://auth-server.com/token', {
        method: 'POST',
        body: new URLSearchParams({
          client_id: 'your_client_id',
          code: 'your_authorization_code',
          code_verifier: codeVerifier
        })
      });

This example demonstrates how PKCE can be implemented in a native or SPA application to securely authenticate and authorize users without the need for a client secret.

Warning: Always use a secure random generator for the code verifier. Never reuse the same code verifier across different sessions.

Why Bastionary Uses PKCE

At Bast