Proof Key for Code Exchange
PKCE, pronounced pixy, hardens the OAuth authorization code flow against interception attacks. The client creates a secret verifier, sends its hash when requesting the code, and must present the original verifier to redeem it. It was designed for mobile apps that cannot keep a client secret and is now recommended for all OAuth clients.