The Challenge Code Token is a type of token that will allow the client application (Client) to access certain protected resources, using ‘The Proof Key for Code Exchange (PKCE, pronounced pixie)’, that allow to use this token without the need of use cliente_secret to sign request. This token is not part of oauth2 spec, but is obtained using the pace extensions of Oauth 2.

The valid period of a Challenge Code Token is 60 seconds (1 minute). If a Challenge Code Token has expired, a new one must be requested.

Please read to understand better the process of obtain this token.

Flow process

You must first creates what is known as a “code verifier“. This is a cryptographically random string using the characters A-Z, a-z, 0-9, and the punctuation characters -._~ (hyphen, period, underscore, and tilde), between 43 and 128 characters long.

Once the app has generated the code verifier, it uses that to create the code challenge. For devices that can perform a SHA256 hash, the code challenge is a BASE64-URL-encoded string of the SHA256 hash of the code verifier. Clients that do not have the ability to perform a SHA256 hash are permitted to use the plain code verifier string as the challenge.

We do no allow to create 2 tokens using the same code “code verifier“, so be sure that this code is random and strong.

Endpoint URL:

POST https://{}/oauth2/token

Header parameters


Request parameters

client_idClient identifier of your app obtained via cockpit panel.string
client_secretSecret key of your app obtained via cockpit panel.string
code_challengeThe code challenge generated as previously described.
code_challenge_methodeither plain or S256, depending on whether the challenge is the plain verifier string or the SHA256 hash of the string. If this parameter is omitted, the server will assume plain.

Please use S256 EVER
scopescope /permissions for this token. Depending where you use this token, could be an entrypoint_id, or other scopes, comma or space separated. Please refer specific endpoint for more details