HOORAY!! To enhance the security, the API now supports PKCE authorization. 🎉🎊

Proof Key for Code Exchange is an extension of the OAuth 2.0 Authorization Code Flow and Access Token Request by adding additional parameters. The usage of PKCE is completely optional and it is defined in RFC 7636. PKCE is particularly useful in insecure environments where decompiling the application reveals sensitive information like the Client Secret. Insecure environments can be e.g. Single Page Applications or Mobile Apps.

The code_verifier is a random generated string with a length between 43 and 128, so it is protected against decompiling. In the Authorization Code Flow the client sends a hashed version of the code_verifier (now called code_challenge) and the used hash method (called code_challenge_method) along with the required OAuth parameters to the token endpoint. When the client requests an access token, the code_verifier and the OAuth required parameters will be send to the token_endpoint. The token endpoint hashes the reviewed code_verifier and compares it with the stored code_challenge from the Authorization Code Flow. If both are equal, the PKCE check is passed. An overview about the all used OAuth 2.0 parameter is given in the Authentication section.

The new PKCE authorization comes with new error messages.

PKCE errors while requesting the autorization code
PKCE errors while requesting the access token