Proof Key for Code Exchange
Required for all public clients (SPAs, mobile apps, desktop apps). If you're building a non-confidential OAuth client, PKCE is mandatory per current best practice.
What It Defines
Extends the OAuth 2.0 Authorization Code flow with a cryptographic challenge/verifier pair. Prevents authorization code interception attacks in mobile, SPA, and desktop apps where client secrets can't be kept confidential.
Canonical (Normative)
Convenient (Practical)
The canonical publication point for finalized RFCs. If a protocol is standardized as an RFC, the RFC Editor text is the normative final reference. Published by the IETF, IRTF, IAB, and independent stream.
Related Specs
The foundation of modern app auth: third-party login, API authorization, SSO, and machine-to-machine access all use OAuth 2.0.
Sign-in with Google/Apple/GitHub all use OIDC. If your app authenticates users via a third party, you're using OIDC whether you know it or not.