> For the complete documentation index, see [llms.txt](https://docs.developer.singpass.gov.sg/docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/proof-of-key-code-exchange-pkce.md). # Proof of Key Code Exchange (PKCE) Proof Key for Code Exchange(PKCE) is an extension to the Authorization Code flow to prevent Cross Site Request Forgery(CSRF) and Authorization code injection attacks. (Refer to )\ \ ![](https://api.singpass.gov.sg/assets/api-lib/myinfo/img/v4/pkce.png) 1. User access to the client application. 2. Client application creates a cryptographically random string as a secret key (code\_verifier) that only it knows and creates a base64url encoded hash of the secret key(code\_challenge). 3. Client application returns the code\_challenge and creates a frontend session to the user's browser. 4. Browser calls /authorize API with the code\_challenge. 5. The AuthZ server returns the authcode. 6. Client application calls /token API with the code\_verifier and authcode. 7. The AuthZ server will ensure that the code\_verifier has the same hash as the code\_challenge before issuing the access\_token. **i) Create code\_verifier** *** Create a code\_verifier, which is the cryptographically random string that will eventually be sent to Token API to request for access\_token.Copy to clipboard ``` // Dependency: Node.js crypto module (https://nodejs.org/api/crypto.html#crypto_crypto)   function base64URLEncode(str) { return str.toString('base64') .replace(/\+/g, '-') .replace(/\//g, '_') .replace(/=/g, ''); }   // The client generates a random string of bytes and saved into a persistent session store let codeVerifier = base64URLEncode(crypto.randomBytes(32)); ``` **i) Create code\_challenge** *** Using the code\_verifier, generate a code\_challenge that will be sent in the /authorize API. Copy to clipboard ``` // Dependency: Node.js crypto module (https://nodejs.org/api/crypto.html#crypto_crypto)   function base64URLEncode(str) { return str.toString('base64') .replace(/\+/g, '-') .replace(/\//g, '_') .replace(/=/g, ''); }   // The client hashes these bytes and encodes them for use in a url let codeChallenge = base64URLEncode(crypto.createHash('sha256').update(codeVerifier).digest()); ``` code\_challenge should be generated from the raw bytes of the code\_verifier and not the hex encoded string.\ \ Example: 'helloworld' code\_verifier should produce 'k2oYXKqiZrucvpgengXLeM1zKwsygOuURBK7b4-PB68' as code\_challenge --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/proof-of-key-code-exchange-pkce.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.