Civic Auth supports multiple OAuth 2.0 authentication methods to provide maximum security across different application architectures and use cases.

Authentication Methods

Best for: Public clients (SPAs, mobile apps) where secrets cannot be securely stored.

How it Works

  • Uses Proof Key for Code Exchange (PKCE) for security
  • Default method for public clients
  • Code verifier/challenge mechanism provides security
  • No client secret required or used

Security Benefits

  • ✅ No sensitive credentials to manage client-side
  • ✅ Dynamic verification for each authentication request
  • ✅ Industry standard for public clients
  • ✅ Prevents authorization code interception attacks

Configuration

const config = {
  clientId: "your_client_id",
  // PKCE enabled by default, no client secret needed
  redirectUrl: "https://yourapp.com/callback"
}

When to Use Each Method

PKCE Only

  • Single-page applications (SPAs)
  • Mobile applications
  • Frontend applications (React, Vue, Angular)
  • When client secrets cannot be securely stored
  • Default for public clients

Client Secret Only

  • Legacy OAuth 2.0 integrations
  • Traditional server-side applications
  • When PKCE is not supported
  • Simple backend services
  • Existing OAuth infrastructure

PKCE + Client Secret

  • High-security server applications
  • Financial or healthcare systems
  • Enterprise backend services
  • Maximum security requirements
  • Modern confidential clients

Getting Client Secrets

To generate a client secret, log into your dashboard at auth.civic.com, navigate to the Security tab, and click “Generate Client Secret”. Important: The client secret is only displayed once upon generation, so make sure to copy and securely store it immediately. You can always regenerate a new client secret if needed.
Client Secret Generation in Dashboard
Security Requirements: Client secrets must be stored securely and never exposed in client-side code. They are suitable only for server-side applications with secure credential storage.
Flexible Security: Choose the authentication method that best fits your application architecture. Use PKCE-only for public clients, client secrets for traditional OAuth compatibility, or both together for maximum security.

Security Considerations

Implementation Example

The Civic Auth SDK is initialized with a config object that varies based on the authentication method you choose. The core implementation remains the same. 
import { CivicAuth } from '@civic/auth/server';

// Define the config object using the parameters from the table below
const config = {
  clientId: process.env.CLIENT_ID,
  // ... other parameters
};

// 'storage' is your implementation of CookieStorage
const civicAuth = new CivicAuth(storage, config);

Configuration Parameters

ParameterPKCE Only (Default)Client Secret OnlyPKCE + Client Secret (Max Security)Notes
clientIdRequiredRequiredRequiredYour application’s Client ID.
clientSecretNot usedRequiredRequiredGenerate in dashboard Security tab.
pkcetrue (default)falsetrueEnables or disables PKCE.
redirectUrlRequiredRequiredRequiredThe URL to redirect to after login.
postLogoutRedirectUrlOptionalOptionalOptionalThe URL to redirect to after logout.
For full implementation examples with specific frameworks, see our integration guides. The guides show the PKCE-only approach by default, but you can adapt the config object using the parameters above for other flows.