PKCE Flow risk of exposing publicly authDomain and clientId


I am currently experimenting building a cli which would authenticate on an API using the PKCE flow.
At the moment I have something like

mycli login --oauth-authDomain "" --oauth-clientId "xxx" ""

and I am considering exposing publicly the authDomain and the clientID via the API so I could simplify to something like

mycli login ""

So my question, is there any security risk to expose publicly the auth domain and the clientid?
They are the same for anyone using the application anyway
Is there a better way to authenticate on an API than using the PKCE flow?

Hi @olblak,

Welcome to the Auth0 Community!

The domain and client ID are designed to be shared with the client and have exposed to the end user in the PKCE flow.

Hope that helps!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.