OAuth 2.1 PKCE

PKCE = Proof Key for Code Exchange. Client generates a random code_verifier, hashes it as code_challenge, sends challenge in /authorize, sends verifier in /token. Server checks SHA-256(verifier) == challenge. Used by Claude Desktop, Cursor, Codex when registering with hosted MCP servers.