Thanks 
I don’t understand the diagram because the [App] block appears to be doing stuff for the native application and the server from my apparent misunderstanding of how this flow works. I have a native app that generates a code verifier and code challenge and it opens the system browser to the /authorize endpoint. Also, the diagram from the Auth0 shows the Auth0 tenant sending the code directly to the App, but in my case that would go to the system browser or my server and I cannot retrieve values from the system browser from my native app. If the app in the diagram can send the Code Verifier and Code challenge and get an id token and access token, then I assume it must be safe for my native app to poll my server with those values to retrieve the access code, but I don’t see a way to map those values to the returned access code because it is the only value returned from the /authorize endpoint.