What is PKCE?

PKCE (pronounced "pixie") stands for Proof Key for Code Exchange. It's an extra security step in the OAuth flow that prevents someone from stealing the authorization code during the redirect.

The problem it solves

In the standard OAuth flow, Google sends an authorization code back to your app through the browser's URL. If someone intercepts that code (through a compromised browser extension, for example), they could exchange it for the user's info.

How it works

1. Before redirecting to Google, your app generates a random secret and a hash of that secret.
2. The hash is sent to Google with the authorization request.
3. When Google redirects back with the code, your app sends the original secret along with the code exchange.
4. Google checks that the secret matches the hash from step 2 — proving it's the same app that started the flow.

An attacker who intercepts only the code can't use it, because they don't have the original secret.

Do you need to worry about it?

No. The auth starter handles PKCE automatically for Google OAuth. Google requires it; GitHub doesn't use it. Both flows are standard and secure — the starter implements whichever the provider expects.