Using PKCE OAuth with YNAB
The YNAB OAuth documentation recommends the Implicit Flow for OAuth applications where the client is untrusted, such as a mobile app. Unfortunately the implicit flow is less secure than the PKCE flow and provides a poor user experience.
Furthermore, the implicit flow does not support refresh tokens, so the UX for a third party app will require frequent user disruption to re-authenticate.
If the YNAB API supports the PKCE flow, then a mobile app can securely authenticate and receive a refresh token. This will greatly help the UX for third party apps.
Further reading on the PKCE flow can be found here:
I would love to see YNAB support PKCE, as I consider the poor UX of the implicit flow to be a blocker preventing integration with YNAB. I look forward to hearing back from the YNAB API team.
You can go ahead and submit a feature request for the PKCE flow option. Right now, it's not an option available but it's something we are aware of and could potentially make available, based on interest.