code_challenge_method=S256 only.
Generate verifier and challenge
verifier in sessionStorage (or secure server session) until the callback.
Authorize
Add to the authorize URL:Token exchange
Send the original verifier:BASE64URL(SHA256(verifier)) === code_challenge.
If you see Invalid OAuth state on the callback, you likely opened a sample authorize URL from the Developer Portal instead of starting login in your app. See Errors & troubleshooting.