# `AshAuthentication.Oauth2Server.PKCE`
[🔗](https://github.com/team-alembic/ash_authentication_oauth2_server/blob/v0.1.0/lib/ash_authentication/oauth2_server/pkce.ex#L5)

PKCE (RFC 7636) S256 helpers.

We only support `S256` — `plain` is rejected at the authorize endpoint per
OAuth 2.1.

# `challenge`

```elixir
@spec challenge(String.t()) :: String.t()
```

Compute the S256 code challenge for a verifier.

    challenge = base64url(sha256(verifier))

# `verify`

```elixir
@spec verify(String.t() | nil, String.t() | nil) :: :ok | :error
```

Constant-time comparison of `verifier` against a stored `challenge`.

Returns `:ok` if they match, `:error` otherwise. Bad input shapes return
`:error` rather than crashing.

---

*Consult [api-reference.md](api-reference.md) for complete listing*