datarekha
MLOps Hard Asked at MicrosoftAsked at GoogleAsked at Okta

Does PKCE protect an AI agent after an OAuth access token has been stolen?

The short answer

No. PKCE protects the authorization-code exchange by binding it to the client that initiated the flow. It does not make an already issued bearer access token unusable. Limit stolen-token replay with audience restriction, short lifetime, downstream authorization and sender-constrained tokens such as DPoP or mTLS.

How to think about it

PKCE prevents an attacker who intercepts an authorization code from redeeming it without the verifier. Once a bearer access token has been issued and copied, the code exchange is over. The relevant controls are narrow scope, validated audience, short lifetime, resource-server authorization and sender constraints.

Learn it properly Token theft & runtime authorization

Keep practising

All MLOps questions

Explore further

Skip to content