The x-usePkce allows you to enable Proof Key for Code Exchange (PKCE) for the Oauth2 or OpenID Connect authorization code flow in the Replay.
When specified, the Replay sends both code_challenge and code_verifier to the authorization and token endpoints.
Use the x-usePkce extension in the authorizationCode flow object
| Option | Type | Description |
|---|---|---|
| x-usePkce | boolean | Enables PKCE to enhance security by preventing interception of authorization codes during the OAuth2 or OpenID Connect flow. |
The following configuration enables the PKCE for the operation:
openapi: '3.0.0'
info:
...
tags: [...]
components:
securitySchemes:
oauth2_auth:
type: "oauth2"
flows:
authorizationCode:
x-usePkce: true
authorizationUrl: "https://example.com/authorize"
tokenUrl: "https://example.com/token"- RFC 7636 - Proof Key for Code Exchange - Official specification defining PKCE for OAuth2 and OpenID Connect security enhancement
- Show extensions configuration - Control which extensions are included in your API reference documentation for optimal presentation
- OpenAPI configuration settings - Complete reference for all available OpenAPI configuration options and customization settings
- Supported OpenAPI extensions - Complete list of all OpenAPI extensions supported by Redocly for enhanced API documentation