The OAuth standard has been around for a while, but traditionally it has required a back-end server to hold a client secret, well, secret. Until now! By supporting Proof Key for Code Exchange, or PKCE, OAuth flows can now be accomplished entirely in the client--and still be secure. In this talk we begin the standard three-legged flow that utilizes the traditional client secret and then introduce the PKCE technique that relies on a code challenge instead. By the time you leave, you will understand how to implement it in your client applications and the benefits for doing so.