Missing PKCE configuration

AI security governance · MCP security

Severity

medium

What it is

PKCE (Proof Key for Code Exchange) is not enabled, leaving the OAuth flow vulnerable to authorization code interception attacks.

How Igris detects it

Igris's OAuth Configuration Checker flags this during MCP security scans of your configuration.

References

Related MCP security rules

Secure your AI estate with Igris