Your app needs to act on a user's behalf in a third-party service (read their GitHub repos, post to their Slack). Design the OAuth 2.0 authorization-code flow with PKCE. Walk through each step and what each parameter is for, explain what PKCE defends against and why it matters even for confidential clients, how you handle scopes and refresh tokens, and where each token is stored. Explain why you never use the implicit flow or embed the client secret in a mobile/SPA client.