PKCE (OAuth)
PKCE (Proof Key for Code Exchange) is an OAuth 2.0 extension that protects public clients from authorization-code interception attacks.
In plain English
PKCE — pronounced "pixy" — is an add-on to OAuth 2.0 for clients that cannot safely hold a secret. Before the auth request, the client generates a random "code verifier" and its hash, the "code challenge." It sends the challenge with the initial request. When it redeems the authorization code for tokens, it must supply the original verifier. Only the legitimate client has it, so an attacker who intercepts the code cannot trade it for tokens.
PKCE is now considered best practice for every OAuth client, not just public ones. Web apps, SPAs, native apps, desktop apps, CLIs — all benefit from it. Modern identity providers require it on new configurations. Any OAuth integration you ship in 2026 should use PKCE by default.
Why it matters for Black Box
Black Box's OAuth flows use PKCE for every connection the owner authorizes — Google, GitHub, Slack, and others. When the desktop variant of the product shipped, the loopback redirect flow relied on PKCE as its primary defense against code interception.
Examples
- A CLI tool generating a verifier, opening the browser, and redeeming the code with the verifier.
- A SPA sending a code challenge on the initial redirect and the verifier on the token exchange.
- A desktop app using loopback + PKCE to avoid a custom URL scheme.