Skip to main content



stateStringAn opaque value the clients adds to the initial request that Auth0 includes when redirecting the back to the client. This value must be used by the client to prevent CSRF attacks.
nonceStringA local key that is held as the comparator to state, thus they should be the same.
challengeStringGenerated challenge from the code_verifier.
methodStringMethod used to generate the challenge. The PKCE spec defines two methods, S256 and plain, however, Auth0 supports only S256 since the latter is discouraged.
verifierStringCryptographically random key that was used to generate the code_challenge passed to /authorize.