Screenshot WOW SAVE 20% on the All Access Bundle. Use "OAUTH20OFF" at checkout.
3rd Party Integration

WordPress OAuth Server Proof Key for Code Exchange (PKCE) Support

Published: November 26, 2020 | Updated: January 14th, 2021
  1. Home
  2. Docs
  3. How To
  4. WordPress OAuth Server Proof Key for Code Exchange (PKCE) Support

When a client can not store a secret securely, PKCE adds a level of security that helps keep authorization requests genuine. Proof Key for Code Exchange is a way to attach a signature or string known as the “verifier” to authorization code requests and token requests.

This documentation will attempt to provide a walkthrough of using PKCE for WordPress OAuth Server. Keep in mind, this documentation may vary from typical PKCE implementations.

PKCE Basics

This documentation is not intended to explain the full scope of PKCE. For a deeper understanding of Proof Key for Code Exchange visit This documentation will explain the basics of PKCE and WordPress OAuth Server.


VerifierThe verifier is a random string created by the client. This string should be unique to an authorization request.
Code ChallengeA Code Challenge is a hashed Verifier
Code Challenge MethodA Code Challenge Method is the algorithm used to hash the verifier to create the Code Challenge. PKCE ONLY supports two values (“S256” and “plain”)
General PKCE Terms

Creating a Code Challenge

Creating the code challenge is really easy using PHP. Below is a snippet demonstrating how to create a code challenge using the method “S256”.

$code_verifier = 'random_string';
$challenge_bytes = hash("sha256", $code_verifier, true);
$code_challenge = rtrim(strtr(base64_encode($challenge_bytes), "+/", "-_"), "=");

WordPress OAuth Server also supports plain text as a verifier.

$code_verifier = 'plain_text_verifier';

Making an Authorization Request

The authorization endpoint for WordPress OAuth Server is below. Be sure to use your setups domain name instead of Note the endpoint “/oauth/authorize/“.


The example authorization request below is using PKCE. Take note of the parameters “code_verifiry” and “code_challenge_method”.

GET /oauth/authorize HTTP/1.1
Content-Type: application/x-www-form-urlencoded

Token Request with PKCE

According to the draft, a client that sent a “code_challege” during the code request MUST send the “code_verifier” when making the token request.

POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

The code verifier created by the client in the original request MUST be sent in the token request so that WP OAuth Server can verify the PKCE request.

Notes and Limitations

  • The Code Challenge Storage Character Limit is 1000. Keep the challenges under this limit, or they will be truncated and requests will fail.
  • WP OAuth Server PKCE Code Challenge Supports: s256 and plain methods.