🛡️ PKCE (Proof Key for Code Exchange)
This client uses the Authorization Code flow with PKCE (S256).
A random code_verifier is generated, hashed into a
code_challenge, and sent with the authorization request.
During token exchange the original verifier is sent so the server can
verify the request originated from the same client.