Gathering detailed insights and metrics for js-pkce
Gathering detailed insights and metrics for js-pkce
Installations
npm install js-pkceDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Node Version
22.11.0
NPM Version
10.9.0
Releases
14
Languages
2
TypeScript
JavaScript
TypeScript (98.41%)
JavaScript (1.59%)
Developer
bpedroza
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
35 Stars
103 Commits
12 Forks
2 Watchers
3 Branches
6 Contributors
Updated on Jun 30, 2025
Maintainers
1
Package Meta Information
Latest Version
2.0.0
Package Id
js-pkce@2.0.0
Unpacked Size
86.87 kB
Size
20.63 kB
File Count
17
NPM Version
10.9.0
Node Version
22.11.0
Published on
Dec 22, 2024
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
js-pkce
A package that makes using the OAuth2 PKCE flow easier.
This package is implemented according to the specification: rfc7636.
Use from CDN
Since version 1.3.0 this package is available to be used from a CDN:
https://cdn.jsdelivr.net/npm/js-pkce/dist/browser.js
Explicit version example:
https://cdn.jsdelivr.net/npm/js-pkce@1.5/dist/browser.js
Installation
npm i js-pkce
Create a new instance
Create a new instance of js-pkce with all of the details needed.
1import PKCE from 'js-pkce'; 2const pkce = new PKCE({ 3 client_id: 'myclientid', 4 redirect_uri: 'http://localhost:8080/auth', 5 authorization_endpoint: 'https://authserver.com/oauth/authorize', 6 token_endpoint: 'https://authserver.com/oauth/token', 7 revoke_endpoint: 'https://authserver.com/oauth/revoke', // optional 8 requested_scopes: '*', 9 storage: sessionStorage // optional 10});
Start the authorization process
Typically you just need to go to the authorization url to start the process. This example is something that might work in a SPA.
1window.location.replace(pkce.authorizeUrl());
You may add additional query parameters to the authorize url by using an optional second parameter:
1const additionalParams = {test_param: 'testing'}; 2window.location.replace(pkce.authorizeUrl(additionalParams));
Trade the code for a token
After logging in with the authorization server, you will be redirected to the value in
the redirect_uri parameter you set when creating the instance.
Again, this is an example that might work for a SPA.
When you get back here, you need to exchange the code for a token.
1const url = window.location.href; 2pkce.exchangeForAccessToken(url).then((resp) => { 3 const token = resp.access_token; 4 // Do stuff with the access token. 5});
As with the authorizeUrl method, an optional second parameter may be passed to
the exchangeForAccessToken method to send additional parameters to the request:
1const url = window.location.href; 2const additionalParams = {test_param: 'testing'}; 3 4pkce.exchangeForAccessToken(url, additionalParams).then((resp) => { 5 const token = resp.access_token; 6 // Do stuff with the access token. 7});
Refreshing the token
Get a new access token using a refresh token
1pkce.refreshAccessToken(refreshToken).then((resp) => { 2 const accessToken = resp.access_token; 3 const refreshToken = resp.refresh_token; 4 // Do stuff with the access & refresh token. 5});
Revoking a token
Revoke a token. Note that the specification for this functionality in the context of PKCE is not very well defined. This may not work for all authorization servers.
You may optionally pass a token_type_hint as the second parameter.
1pkce.revokeToken(tokenToExpire, 'access_token')
Cors credentials
When using httpOnly cookies, there is some additional configuration required. The method
enableCorsCredentials can be called to allow sending credentials.
1pkce.enableCorsCredentials(true);
A note on Storage
By default, this package will use sessionStorage to persist the pkce_state. On (mostly) mobile
devices there's a higher chance users are returning in a different browser tab. E.g. they kick off
in a WebView & get redirected to a new tab. The sessionStorage will be empty there.
In this case it you can opt in to use localStorage instead of sessionStorage:
1import PKCE from 'js-pkce'; 2const pkce = new PKCE({ 3 // ... 4 storage: localStorage, // any Storage object, sessionStorage (default) or localStorage 5});
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE.txt:0
- Info: FSF or OSI recognized license: MIT License: LICENSE.txt:0
Reason
2 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/run-tests.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/bpedroza/js-pkce/run-tests.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/run-tests.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/bpedroza/js-pkce/run-tests.yml/master?enable=pin
- Info: 0 out of 2 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 1 npmCommand dependencies pinned
Reason
Found 2/7 approved changesets -- score normalized to 2
Reason
2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Reason
branch protection is not maximal on development and all release branches
Details
- Warn: branch protection not enabled for branch '1.x'
- Info: 'allow deletion' disabled on branch 'master'
- Info: 'force pushes' disabled on branch 'master'
- Info: 'branch protection settings apply to administrators' is required to merge on branch 'master'
- Warn: could not determine whether codeowners review is allowed
- Warn: no status checks found to merge onto branch 'master'
- Warn: PRs are not required to make changes on branch 'master'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/run-tests.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 29 are checked with a SAST tool
Score
3.8
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More