PKCE authentication: client-side vs server-side
· 38 min read
In this blog post, I’ll show you two ways of implementing an OAuth PKCE flow to acquire a third-party API key without keeping any persistent user session state on the backend.
- In the client-side flow, the user’s browser is responsible for storing secrets.
- In the server-side flow, we’ll involve a backend to keep secrets out from the browser, but rely on cryptography instead of storing persistent state.
I’ll use the OpenRouter.ai PKCE API as an example, because of the challenges that came up when trying to implement and host a small AI demo application. They include
- Trusted handling of sensitive API keys which let us spend money on behalf of the user
- Avoiding user accounts or other persistent server-side state
- Defending against XSS, CSRF, and malware
Original image: Cladonia asahinae. (pixie cup lichen) by Bernard Spragg. NZ, Creative Commons license: CC0-1.0