PKCE should be implemented wherever possible as it offers protection against bad actors potentially intercepting the code and using it to retrieve a token fraudulently.
PKCE should especially be implemented in native apps, or single-page applications that initiate OAuth requests client-side, as storing your Client Secret in application source code may expose it if the app is decompiled.
More
If you need more info, please take a look at our documentation on implementing the PKCE flow in the Auth Link and when Exchanging Code with Access Token.
Also, see our related articles: