$code_verifier = decrypt(@$_SESSION['code_verifier']);

    $data = array(
        'client_id' => $client_id,
        'grant_type' => 'authorization_code',
        'code' => $code,
        'code_verifier' => $code_verifier,
    );

    $h = curl_init($token_endpoint);
    curl_setopt($h, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($h, CURLOPT_TIMEOUT, 10);
    //curl_setopt($h, CURLOPT_USERPWD, "{$client_id}:{$client_secret}");
    curl_setopt($h, CURLOPT_POST, true);
    curl_setopt($h, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($h, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
    curl_setopt($h, CURLOPT_POSTFIELDS, http_build_query($data));

    $res = curl_exec($h);
    ...