Federated PKCE Auth via Pugpig Distribution
Written by Mitchell Farguhar
Updated at May 21st, 2025
Table of Contents
We recommend using your own PKCE (Proof Key for Code Exchange) implementation, hosted on your own server or through your existing authentication provider. This gives you full control and flexibility. You can read more about that approach here.
However, we understand that this isn’t always possible due to technical limitations or time constraints. That’s why we offer an alternative: we can provide pre-configured PKCE endpoints through Pugpig Distribution, which connect seamlessly to your existing authentication setup.
What we provide
We host a ready-to-use login screen (and an optional register screen) that uses the PKCE OAuth 2.0 flow. These pages:
- Are customisable with your brand colours and styling using theme settings or custom CSS
- Support localisable copy so you can adapt messages for your audience
- Handle the full login or register flow, then pass the relevant tokens back to your app
You’ll just need to provide login and register API endpoints from your system. When a user signs in, your service should return an access token (and optionally, a refresh token). You can find more about this in our documentation on auth packs.
Auth domain requirement
Due to how Firefox handles browser tabs on Android, we need to use a separate domain for authentication. This is only necessary if you're using our hosted PKCE login/register screens. The issue arises when both content and authentication are served from the same domain, so we avoid that by using a dedicated auth domain.
You can choose the domain name, though we suggest something like auth.yourdomain.com. This should be pointed to pugpig.map.fastly.net using a CNAME DNS record, just like you do for vanity domains.
Once this is in place, let your onboarding contact know which domain you've set up, and we'll take care of the rest in your app configuration.