Auth

PKCE flow

About authenticating with PKCE flow.


The Proof Key for Code Exchange (PKCE) flow is one of two ways that a user can authenticate and your app can receive the necessary access and refresh tokens.

The flow is an implementation detail handled for you by Supabase Auth, but understanding the difference between PKCE and implicit flow is important for understanding the difference between client-only and server-side auth.

How it works

After a successful verification, the user is redirected to your app with a URL that looks like this:


_10
https://yourapp.com/...?code=<...>

The code parameter is commonly known as the Auth Code and can be exchanged for an access token by calling exchangeCodeForSession(code).

As the flow is run server side, localStorage may not be available. You may configure the client library to use a custom storage adapter and an alternate backing storage such as cookies by setting the storage option to an object with the following methods:


_23
const customStorageAdapter: SupportedStorage = {
_23
getItem: (key) => {
_23
if (!supportsLocalStorage()) {
_23
// Configure alternate storage
_23
return null
_23
}
_23
return globalThis.localStorage.getItem(key)
_23
},
_23
setItem: (key, value) => {
_23
if (!supportsLocalStorage()) {
_23
// Configure alternate storage here
_23
return
_23
}
_23
globalThis.localStorage.setItem(key, value)
_23
},
_23
removeItem: (key) => {
_23
if (!supportsLocalStorage()) {
_23
// Configure alternate storage here
_23
return
_23
}
_23
globalThis.localStorage.removeItem(key)
_23
},
_23
}

You may also configure the client library to automatically exchange it for a session after a successful redirect. This can be done by setting the detectSessionInUrl option to true.

Putting it all together, your client library initialization may look like this:


_14
const supabase = createClient(
_14
'https://xyzcompany.supabase.co',
_14
'public-anon-key',
_14
{
_14
...
_14
auth: {
_14
...
_14
detectSessionInUrl: true,
_14
flowType: 'pkce',
_14
storage: customStorageAdapter,
_14
}
_14
...
_14
}
_14
)

Limitations

Behind the scenes, the code exchange requires a code verifier. Both the code in the URL and the code verifier are sent back to the Auth server for a successful exchange.

The code verifier is created and stored locally when the Auth flow is first initiated. That means the code exchange must be initiated on the same browser and device where the flow was started.

Resources