Skip to main content

PKCE Overview

Proof Key for Code Exchange (PKCE) is an extension of the OAuth 2.0 Authorization Code flow that enhances security for public or mobile clients that cannot safely store a client secret. It adds a verification step between the authorization request and token exchange to prevent intercepted authorization codes from being reused by malicious actors. You should use PKCE if your application is a mobile app, single-page app (SPA), or any client that cannot securely store a client secret. If your application is a traditional server-side (confidential) client, you can continue using the standard Authorization Code flow.
PKCE (RFC 7636) is also available to developers as an extension of the authorization code flow. To enable it, toggle PKCE in the App details page.
5d438b48f6491e173c4f3f92e9c350000b1ff8497477459e6db264edc8026016 pkce gif
Once PKCE is enabled, the application can only use the PKCE workflow. If PKCE parameters are not provided, the authorization code flow will fail. To switch back the toggle, the application should have no active keys.

Once your app parameters are set, you can implement the authorization code flow. To request access, create a Consent link that redirects the user.
If you’re familiar with the Client Credentials workflow, you might notice that the Generate Consent URL button is not present in the partner portal for the authorization code workflow. This is because, with the authorization code method, you need to provide a redirect URI specific to your organization. Therefore, these URLs must be configured directly within your workflow.
If the redirect URI is not declared in the application, the redirection will be blocked.
If you have PKCE enabled, then the consent URL will require additional parameters:
URL
https://consent.criteo.com/request?response_type=code
&client_id={client_id}
&redirect_uri={redirect_uri}
&state={state}
&code_challenge={code_challenge}
&code_challenge_method={code_challenge_method}

Parameter

Required

Description

response_type=code

Yes

Indicates that an authorization code is expected as outcome.

client_id

Yes

Your public key from the app credentials section.

redirect_uri

Yes

The URL to redirect the user after consent. Must match the configured URI.

state

No

Optional string to prevent Cross-Site Request Forgery attacks.

code_challenge

Yes when PKCE is enabled

A challenge derived from thecode_verifierthat is sent in the authorization request, to be verified against later.

code_challenge_method

No

A method that was used to derivecode_challenge.

The methods available:

plain: no transformation (not recommended)

S256: recommended & secure (hash + base64url)(also default when no method is provided)


Step 2. Exchanging the Access Code for the Access Token

You can find more details about the OAuth endpoint in our API Reference.
If you have PKCE enabled and made the consent request with PKCE parameters, your access token request must have one more parameter, which is code_verifier:

Example Request

curl -L 'https://api.criteo.com/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'client_id=<MY_CLIENT_ID>' \
-d 'client_secret=<MY_CLIENT_SECRET>' \
-d 'redirect_uri=<MY_URI>' \
-d 'code=<MY_CODE>' \
-d 'grant_type=authorization_code' \
-d 'code_verifier=<MY_CODE_VERIFIER>'

Example Response (Success)

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "bearer",
  "expires_in": 3600,
}

Parameters

All the following parameters are required in the context of PKCE.

Parameter

Description

grant_type=authorization_code

Indicates that you are providing an authorization code.

code

Authorization code returned during redirection.

redirect_uri

Must match theredirect_uriused for the authorization request.

client_id

Your public key from the app credentials.

client_secret

Your secret key, accessible when creating credentials.

code_verifier

A high-entropy random string created by the client (usually 43–128 characters).

Using the Refresh Token

To renew an access token, use the following request:
curl -X POST https://api.criteo.com/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&code={code}&redirect_uri={redirect_uri}&client_id={client_id}&client_secret={client_secret}"

Parameter

Description

grant_type=refresh_token

Indicates that you are providing a refresh token.

refresh_token

Refresh token shared when requesting an access token.

client_id

Your public key accessible in app credentials section.

client_secret

Your secret key, accessible only once when creating a pair ofclient_idandclient_secretin credentials section.

The response will be the same as when issuing an access token.