The OAuth 2.1 “spec” simplifies some of the OAuth 2.0 specifications (e.g. eliminates those that are no longer considered secure, etc). One of the things OAuth 2.1 suggests is using PKCE even for Confidential (Server Side Clients).

Here’s what OAuth 2.1 says, " PKCE is required for all OAuth clients using the authorization code flow"

I don’t see any mention of PKCE in the Box documentation. Can you tell me if PKCE is being considered for future Box authentication?