PKCE (Proof Key for Code Exchange) is now supported and recommended for user authentication in OAuth and GitHub Apps. This OAuth 2.0 standard (RFC 7636) helps protect authorization codes issued to a client by ensuring that only the client that began the user authentication is able to exchange the authorization code for an access token.

To use PKCE, your application can include the code_challenge_method and code_challenge query parameters when your app launches the user authorization flow. It must then include the corresponding code_verifier parameter when exchanging the authorization code for an access token. Only the S256 code challenge method is accepted.

GitHub is not requiring PKCE for any authentication flow at this time, as GitHub does not distinguish between public and confidential clients. Both GitHub Apps and OAuth apps should use PKCE with the authorization code flow. The device code flow and installation token flows do not use PKCE.

A small set of applications were incorrectly using the PKCE flow, and they have been given an exemption from PKCE enforcement to ensure they keep working. We’ve reached out to these app developers to help them update their apps to use PKCE with GitHub.

For more details on how to use PKCE and authenticate users, see: