Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            API (Enable OAuth Settings): Require Proof Key for Code Exchange (PKCE) Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            API (Enable OAuth Settings): Require Proof Key for Code Exchange (PKCE) Control

            An OAuth 2.0 security extension that uses a dynamically created cryptographic "code verifier" to make sure that the application exchanging an authorization code for an access token is the same that originally requested the code.

            Control Name

            Connected Apps: API (Enable OAuth Settings): Require Proof Key for Code Exchange (PKCE)

            Recommended Configuration

            Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows - Selected.

            Control Overview

            PKCE is a security extension for OAuth 2.0 that uses a dynamically created cryptographic "code verifier" to ensure that the application exchanging an authorization code for an access token is the same application that originally requested the code.

            Security Risk If Not Configured

            Without PKCE, public clients (like mobile apps or single-page apps) are vulnerable to "Authorization Code Interception" because they cannot securely store a client secret to verify their identity during the token exchange.

            Threat Scenarios

            An attacker intercepts a successful authorization code via a custom URI scheme or browser redirect and immediately exchanges it for a valid access token before the legitimate application can, effectively hijacking the user's session.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            A successful interception leads to total account takeover within the application's scope, potentially allowing the adversary to exfiltrate sensitive PII or perform unauthorized transactions as the compromised user.

            Higher Risk When

            Risk is high for mobile applications and Single-Page Applications where the code is transmitted over potentially insecure system browsers or shared device environments.

            Low Risk When

            The risk is considered lower for "Confidential Clients" (server-to-server integrations) that can securely store and use a Client Secret to authenticate the token exchange, though PKCE is still recommended as defense-in-depth.

            Business and Integration Considerations

            Enforcing PKCE requires developers to update their application's OAuth handshake logic to generate and send the code_challenge and code_verifier parameters, which may require updating legacy mobile libraries.

            Recommended Remediation

            Go to the Connected App settings in Salesforce and turn on the checkbox for "Require Proof Key for Code Exchange (PKCE) Extension."

            Security Health Review Guidance

            Security Health Review identifies PKCE as a mandatory baseline for all modern public-facing integrations to close the "code-injection" loophole and ensure high-assurance identity verification for mobile and web users.

            See Also

             
            Loading
            Salesforce Help | Article