A random 64-char alphanumeric string is generated locally — your Code Verifier.

You're redirected to Spotify with a SHA-256 hash of the verifier — the Code Challenge. Only this page knows the original.

Spotify returns an auth code. We exchange it for an access token by proving we hold the original verifier — no secret needed.