diff --git a/source.txt b/source.txt
index 62d57e1..77c1d2c 100644
--- a/source.txt
+++ b/source.txt
@@ -62,6 +62,7 @@ Table of Contents
    8. Session description............................................9
    9. Bearer tokens and access control...............................9
   10. Application-first bearer token issuance.......................10
+     10.1. Optional PKCE support
   11. Storage-first bearer token issuance...........................12
   12. Example wire transcripts......................................12
      12.1. WebFinger................................................12
@@ -438,7 +439,7 @@ Table of Contents
       "rel": "http://tools.ietf.org/id/draft-dejong-remotestorage",
       "properties": {
         "http://remotestorage.io/spec/version": <storage_api>,
-        "http://tools.ietf.org/html/rfc6749#section-4.2": <auth-dialog>,
+        "http://tools.ietf.org/html/rfc6749#section-3.1": <auth-dialog>,
         "...": "...",
       }
     }
@@ -499,6 +500,29 @@ Table of Contents
     redirect_uri parameter for unique client identification. See section
     4 of [ORIGIN] for computing the origin.
 
+10.1 Optional PKCE support
+
+    As an optional extension, servers MAY support the OAuth 2.0
+    Authorization Code grant with Proof Key for Code Exchange (PKCE)
+    [PKCE]. If supported, the server MUST advertise the following
+    WebFinger properties on the remoteStorage link:
+
+       * "http://tools.ietf.org/html/rfc6749#section-3.1" with the
+         authorization endpoint URL,
+       * "http://tools.ietf.org/html/rfc6749#section-3.2" with the
+         token endpoint URL,
+       * "http://tools.ietf.org/html/rfc7636" with a string value
+         indicating supported code_challenge method(s). Servers MUST
+         support "S256". Servers SHOULD NOT advertise "plain" unless
+         "S256" is also supported. Clients SHOULD use "S256".
+
+    Clients SHOULD use PKCE when these properties are present;
+    otherwise they SHOULD use the implicit grant as described above.
+    Scope handling, redirect URI origin checks [ORIGIN], and bearer
+    token usage [BEARER] remain unchanged.
+
+    Note: PKCE will be required in protocol versions >= 2.0.
+
 11. Storage-first bearer token issuance
 
     To request that the application connects to the user account
@@ -854,9 +878,11 @@ charset=UTF-8","Content-Length":106,"Last-Modified":"Sat, 2 Jun 2018 1\
 
     This document registers the following WebFinger properties:
       * "http://remotestorage.io/spec/version"
-      * "http://tools.ietf.org/html/rfc6749#section-4.2"
+      * "http://tools.ietf.org/html/rfc6749#section-3.1"
+      * "http://tools.ietf.org/html/rfc6749#section-3.2"
       * "http://tools.ietf.org/html/rfc6750#section-2.3"
       * "http://tools.ietf.org/html/rfc7233"
+      * "http://tools.ietf.org/html/rfc7636"
       * "http://remotestorage.io/spec/web-authoring"
 
 16. Acknowledgements
@@ -896,6 +922,11 @@ charset=UTF-8","Content-Length":106,"Last-Modified":"Sat, 2 Jun 2018 1\
         "Section 4.2: Implicit Grant", in: Hardt, D. (ed), "The OAuth
         2.0 Authorization Framework", RFC6749, October 2012.
 
+    [PKCE]
+        Sakimura, N. (ed), Bradley, J., and Agarwal, N., "Proof Key
+        for Code Exchange by OAuth Public Clients", RFC 7636,
+        September 2015.
+
     [ORIGIN]
         "Section 4: Origin of a URI", in: Barth, A., "The Web Origin
         Concept", RFC6454, December 2011.