Generate a cryptographically random code_verifier (43-128 chars) and derive code_challenge by Base64url-encoding the SHA-256 hash of the verifier
Redirect the user to the authorization endpoint with response_type=code, client_id, redirect_uri, scope, state (random nonce), code_challenge, and code_challenge_method=S256
After the user authenticates, the server redirects back with a code parameter; verify the state value matches what you sent
Exchange the code for tokens by POSTing to the token endpoint with grant_type=authorization_code, code, redirect_uri, client_id, and code_verifier (not the challenge)
Store the access token in memory only; store the refresh token in a secure HttpOnly cookie or secure server-side session; never put either in localStorage
On each protected API call attach the access token in the Authorization header; use the refresh token to obtain a new access token when the current one expires
Known gotchas
The code_verifier must be generated fresh for every authorization request; reusing it defeats PKCE
Validate that redirect_uri in the token exchange exactly matches the one registered with the authorization server
State parameter validation is mandatory; skipping it opens the flow to CSRF attacks
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp