Following the steps found here. The POST to https://api.amazon.com/auth/o2/token to request refresh/access tokens has a code verifier listed as one of the parameters. I believe the code verifier needs an accompanying challenge code but I don't see where that's used. I looked up the Authorize API and see it has a state param. Is that where the code challenge needs to be passed in?
On the other hand in the Mobile SDK i see a code challenge passed into the Authorize API and a code verifier used to request tokens and a client secret isn't used in requesting tokens. Can the web API work similarly?