• Code_verifier: A cryptographically random string that is used to correlate the authorization request to the token request.

With regards to code_verifier, you should use the value, that you used when creating the code_challenge in the /authorize ? call. 

By using the value, that you used when creating the code_challenge, we have a way for MobilePay to verify the call. It should match. You execute the Authorization call once, and you also make the code_challenge once with one code_verifier. But you need to save your code_verifier so you can use it, every time you utilize your refresh token. This means that you’ll not need to go through the Authorize call again, but you simply need to utilize the code_verifier from the original authorization call.

CodeVerifierMinLength = 43
CodeVerifierMaxLength = 128