pasbydocs
OIDC API

PKCE

Generate code challenge and verifier for OIDC session security.

PKCE (RFC 7636) proves your backend started the session that receives the handshake.

Rules

  • code_challenge = BASE64URL(SHA256(verifier)), no padding
  • Send challenge at session start (kipindi)
  • Send verifier at token exchange (kupeana)
  • One verifier per session; never reuse across users
  • Keep the verifier on your server only

Distinct from session challenge

The session challenge returned at exchange is required on the resource call—it is not the PKCE challenge. Use clear names in your code: pkceVerifier vs sessionChallenge.

Example (Node.js)

import { createHash, randomBytes } from "node:crypto";

function base64Url(buf) {
  return buf
    .toString("base64")
    .replace(/\+/g, "-")
    .replace(/\//g, "_")
    .replace(/=+$/, "");
}

const verifier = base64Url(randomBytes(32));
const challenge = base64Url(
  createHash("sha256").update(verifier).digest(),
);

Store verifier until exchange completes.

React & Node integration

@finsel-dgi/pasby-react — loginWithSecret, tokenSwap, and eidResource for custom backends.

Start session

POST /api/v1/oidc/kipindi and /login — begin OIDC identification.

On this page

RulesDistinct from session challengeExample (Node.js)