Authorization Code Flow with PKCE

I’m using this resource to get my auth flow working:

When I send the Auth request, the user is redirected to the login page. Is there a recommended way to store the code_verifier while the redirect happens? Local storage? Cookie?

Per the possible storage types you mentioned I’m assuming this is a SPA so one possibility could be to use an higher-level SDK and leave that detail for the SDK. I think the Auth0 SPA SDK ( uses cookies as the default storage mechanism for such data.

One advantage of cookies is that you can get automatic cleanup done by the browser for cases where a login request may be abandoned by the user.


Thanks! I’ll go for the cookie for now.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.