Migrate to PKCE
PKCE (Proof Key for Code Exchange) adds a one-time secret to the OAuth authorization code exchange, protecting against intercepted authorization codes. It is now part of ShipBob’s OAuth flow. This guide walks through adding it to an OAuth app that was built before PKCE.
What changes
PKCE adds two parameters to the authorize request and one to the token exchange. Nothing else about your OAuth flow changes - the client_id, client_secret, redirect_uri, and scopes all stay the same, and the client_secret is still required.
Migration steps
Generate a code verifier and challenge
For each authorization request, generate a fresh PKCE pair:
code_verifier– a cryptographically random string, 43-128 characters, using only the URL-safe charactersA-Z,a-z,0-9,-,.,_,~. Keep it secret and store it for the token exchange (Step 3).code_challenge– the Base64-URL-encoded (no padding) SHA-256 hash of thecode_verifier.
Always use the S256 challenge method. Never use the plain method in production.
JavaScript / Node
Python
PowerShell
Add the challenge to your authorize request
Append code_challenge and code_challenge_method=S256 to the authorize URL you already build:
Add the verifier to your token exchange
Include the matching code_verifier in the token request. The client_secret is still required - PKCE is an additional layer, not a replacement.
The code_verifier must match the code_challenge you sent on the authorize request in Step 2. Generate a new pair for every authorization - never reuse a code_verifier.
PKCE applies only to the initial authorization code exchange. You do not need to send a code_verifier or code_challenge when refreshing tokens.
For the full OAuth walkthrough, see the Authentication guide.

