API Gateway 10.11 | Using API Gateway | Usage Scenarios | Securing Access Token Calls with PKCE | How do I enforce PKCE selectively for each access token call?
 
How do I enforce PKCE selectively for each access token call?
You can enforce PKCE specific to each GET access token call. To perform this use case, you must clear the Enforce PKCE check box in the Administration > Security > JWT/OAuth/OpenID screen. When you disable the PKCE global option, by default PKCE is not verified. But if you send the authorize request with the code challenge and code challenge method parameters, you get an access token with PKCE verification.