--- title: PKCE enforcement description: You can use PKCE (Proof Key for Code Exchange) to secure applications, especially native mobile applications, that might otherwise be susceptible to an authorization code interception attack. component: pingone page_id: pingone:applications:p1_pkce_enforcement canonical_url: https://docs.pingidentity.com/pingone/applications/p1_pkce_enforcement.html revdate: May 10, 2023 --- # PKCE enforcement You can use PKCE (Proof Key for Code Exchange) to secure applications, especially native mobile applications, that might otherwise be susceptible to an authorization code interception attack. For more information about PKCE, see [RFC7636](https://tools.ietf.org/html/rfc7636). | | | | - | ----------------------------------------------------------------------------------------------------------------------- | | | PKCE enforcement is available for Authorization Code grants only and applies only to applications that use such grants. | PingOne includes the following options for PKCE enforcement: * Optional PKCE `code_challenge` is optional, and any code challenge method is acceptable. Although permitted, avoid using the plain challenge method because the code challenge could be observed by an attacker on the device or in the http request. * Required PKCE `code_challenge` is required, but any code challenge method is acceptable. Although permitted, avoid using the plain challenge method because the code challenge could be observed by an attacker on the device or in the http request. * S256\_required PKCE `code_challenge` must use SHA 256 encoding for the code challenge method. The SHA 256 method protects against eavesdroppers observing or intercepting the `code_challenge` because the challenge cannot be used without the code verifier value. For more information about SHA 256 base encoding, see section 4.2 of [RFC7636](https://tools.ietf.org/html/rfc7636). To enable PKCE enforcement in your application, see [Editing an application - Native](p1_edit_application_native.html).