xint-oauth-pkce-state-mismatch-each-invocation-generates-new-challenge
Each call to xint auth start generates a new PKCE challenge and state token. If the user pastes a redirect URL that was captured from a prior auth flow, the token exchange fails with a state mismatch error. The PKCE verifier must be captured from the same invocation that produced the authorization URL. Workaround: perform the manual token exchange using curl with the exact verifier from that specific invocation.