Docs state: “The code_challenge must be the base64url-encoded SHA-256 hash of the code_verifier.” I’m implementing the flow for a SPA and the token endpoint keeps returning HTTP 400 with invalid_grant. Here’s the JS hash function I’m using. It looks correct but the server rejects it. Am I missing a padding step?