diff --git a/server.js b/server.js
index 2142a3b..42f2040 100644
--- a/server.js
+++ b/server.js
@@ -362,11 +362,12 @@ const resolveRedirects = async (redirectTo, cookies, depth = 0) => {
   throw new Error('Could not resolve authorization redirect');
 };
 
-const exchangeAuthorizationCode = async (code, discovery) => {
+const exchangeAuthorizationCode = async (code, discovery, codeVerifier) => {
   const body = new URLSearchParams({
     grant_type: 'authorization_code',
     code,
     redirect_uri: REDIRECT_URI,
+    code_verifier: codeVerifier,
     client_id: CLIENT_ID,
     client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
     client_assertion: createClientAssertion(discovery.token_endpoint)
@@ -428,7 +429,7 @@ const runHeadlessSsoLogin = async ({ loginId, password }) => {
     throw new Error('Authorization code not found after redirect resolution');
   }
 
-  const tokenResponse = await exchangeAuthorizationCode(resolution.code, discovery);
+  const tokenResponse = await exchangeAuthorizationCode(resolution.code, discovery, authState.codeVerifier);
   const idTokenPayload = decodeJwtPayload(tokenResponse.id_token);
 
   return {
@@ -501,7 +502,11 @@ const pollHeadlessPhoneLogin = async (pendingContext) => {
       throw new Error('Authorization code not found after phone redirect resolution');
     }
 
-    const tokenResponse = await exchangeAuthorizationCode(resolution.code, pendingContext.discovery);
+    const tokenResponse = await exchangeAuthorizationCode(
+      resolution.code,
+      pendingContext.discovery,
+      pendingContext.authState.codeVerifier
+    );
     const idTokenPayload = decodeJwtPayload(tokenResponse.id_token);
 
     return {