Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Security: Require Proof Key for Code Exchange (PKCE) Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Security: Require Proof Key for Code Exchange (PKCE) Control

            This security setting mandates a cryptographic handshake across all compatible OAuth 2.

            Control Name

            External Client Apps: Security: Require Proof Key for Code Exchange (PKCE)

            Recommended Configuration

            Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows.

            Control Overview

            This security setting mandates a cryptographic handshake across all compatible OAuth 2.0 grant types where the client sends a hashed code challenge during the initial request and a plaintext code verifier during the token exchange to bind the request to the specific client instance.

            Security Risk If Not Configured

            Without PKCE enforced across all supported flows, an intercepted authorization code or intermediate credential can be successfully exchanged for an access token by a malicious actor because the authorization server lacks a technical mechanism to verify the identity of the original caller.

            Threat Scenarios

            An attacker captures a valid authorization code or interceptable credential from a successful login—via browser history, system logs, or custom URI scheme interception—and programmatically obtains a valid session token before the legitimate client can complete the handshake.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Failure to enforce PKCE across all applicable flows allows for widespread session hijacking and unauthorized data access, specifically targeting integrations where a static client secret is either not used or has been compromised.

            Higher Risk When

            The risk is higher for public clients, such as native mobile applications and single-page web applications (SPAs), as these platforms cannot securely store a client secret and frequently operate in environments where traffic redirection is observable.

            Low Risk When

            The scenario is lower risk if the org exclusively uses confidential clients on secure back-end servers that already enforce a mandatory client secret and operate within a strictly isolated network perimeter.

            Business and Integration Considerations

            Enabling this requirement across all supported flows necessitates that all integrated client applications support the S256 transformation method and manage unique high-entropy strings for every transaction.

            Recommended Remediation

            Go to the OAuth Settings of the External Client App and select the checkbox to Require Proof Key for Code Exchange (PKCE) for all supported authorization flows.

            Security Health Review Guidance

            Security Health Review identifies PKCE as a mandatory architectural standard for all modern identity and authorization flows, so that every token exchange is cryptographically bound to the specific client instance to prevent credential injection and interception.

            See Also

             
            Loading
            Salesforce Help | Article