The client creates a secret, generates a code challenge, and holds onto the secret. When a user consents to the requested scopes, the authorization code is issued. The client submits the authorization code along with the code_verifier in the request to the token endpoint. Snowflake then verifies that the transformed code_verifier value matches the code_challenge value used when generating authorizations. If they match, access and refresh tokens are issued.