HttpFixer โ†’ Error โ†’ PKCE Required
OAuth Error

OAuth Error: PKCE Required

Last updated: April 2026

OAuth Error Response
{"error": "invalid_request", "error_description": "PKCE required for this client."}

Your OAuth provider requires PKCE but your authorization request did not include a code_challenge. Add PKCE to your authorization flow.

Diagnose OAuth errors โ†’

Fix โ€” generate and send PKCE parameters

// Generate PKCE pair
async function generatePKCE() {
  const verifier = crypto.getRandomValues(new Uint8Array(32));
  const challenge = await crypto.subtle.digest('SHA-256', verifier);
  const toBase64url = (buf) => btoa(String.fromCharCode(...new Uint8Array(buf)))
    .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
  return {
    code_verifier: toBase64url(verifier.buffer),
    code_challenge: toBase64url(challenge),
  };
}

// Add to authorization URL
const { code_verifier, code_challenge } = await generatePKCE();
const authUrl = `${provider}/authorize
  ?code_challenge=${code_challenge}
  &code_challenge_method=S256
  &...`;

// Send verifier when exchanging code for token
POST /token
  code_verifier=${code_verifier}
  &code=${authCode}&...

Enable PKCE in provider dashboard

Auth0: Application Settings โ†’ Grant Types โ†’ Authorization Code (PKCE).

Okta: Application โ†’ Sign-On Policy โ†’ PKCE required.

Cognito: App client โ†’ Auth flows โ†’ ALLOW_USER_SRP_AUTH off, PKCE on.

Related: PKCE explained OAuthFixer Auth0 fix