I understand you are wondering if PKCE is required when using Passwordless SMS.
Yes, it is required. Let me explain further. First, Passwordless SMS is a type of connection, whereas PKCE is related to your application type.
Since you are using React Native, this uses the authorization code flow with PKCE. As a result, regardless of your connection type, like passwordless, social, or database, you must still use the authorization code flow with PKCE. It is unfortunately unavoidable and required since native applications are public clients and cannot securely store secrets.
Given that, the login flow for passwordless SMS using PKCE should look like the following:
GET /authorize endpoint to get to your login page
POST /passwordless/start endpoint to send a verification code using SMS to the phone number submitted
POST /oauth/token endpoint with the code to authenticate the user and return an access token
Therefore, when beginning the authentication flow, you must first call the /authorize endpoint to reach your login page to request sending a verification code to the user.
In this case, the authorization code flow with PKCE should look like this: