Getting a 400 Bad Request on the token exchange endpoint with error=invalid_grant.
POST /oauth/token
...
code_verifier=xyz123...
The code challenge matches the verifier, and the auth code is fresh. Am I missing a specific scope for the SPA flow or is the hashing wrong?