Assess the ability to design, implement, and evaluate the OAuth 2.0 Authorization Code flow with PKCE for single-page applications (SPAs). Scope includes generating/verifying code verifier/challenge, configuring redirect URIs and client metadata, securely exchanging codes for tokens, safe token storage and lifecycle (including refresh strategies), mitigating CSRF/XSS and token-leak risks, and integrating with authorization servers and front-end frameworks. Expect applied tasks and tradeoff analysis for real-world SPA scenarios.