In scenarios where storing the client secret is not safe (e.g. desktop, mobile apps or JavaScript web apps running in the browser), you can use the authorization code with PKCE, as it provides protection against attacks where the authorization code may be intercepted. 引⽤元: https://developer.spotify.com/documentation/web-api/concepts/authorization 6