Expected Behavior

When using the OAuth code code journey with PKCE the client secret is no longer mandated for the oauth app.

Therefore when PKCE is used, and no client secret is specified, there should be no basic auth header on the "access token" url.

Actual Behavior

Insomnia adds an encoded basic auth header of "<client_id>:" . The OAuth server is then responding with a 400 bad response and no token is presented.

Reproduction Steps

Configure OAuth with PKCE and SHA-256 Challenge Method.
Fill out Grant type as Authorisation Code
Fill out Authorisation URL and Access Token URL and Client ID
DO NOT ENTER a client secret

Click "Refresh Token" button

Look at the response timeline - The call to the Access Token endpoint will include a Basic Auth header.

Is there an existing issue for this?

• I have searched the issue tracker for this problem.

Which sync method do you use?

• Git sync.
• Insomnia Cloud sync.
• Local only

Additional Information

No response

Insomnia Version

11.2.0

What operating system are you using?

macOS

Operating System Version

MacOS Sequoia 15.5

Installation method

Downloaded from Website

Last Known Working Insomnia version

No response