Question about OAuth 2.0 PKCE Documentation

In the following section, the oauth documentation for using PKCE seems to be inaccurate. As I understand it, the goal of PKCE is to avoid needing to have the secret available to the client, but the documentation indicates it should be used on step 2.

https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/api/oauth2.md#authorization-code-with-proof-key-for-code-exchange-pkce

parameters = 'client_id=APP_ID&client_secret=APP_SECRET&code=RETURNED_CODE&grant_type=authorization_code&redirect_uri=REDIRECT_URI&code_verifier=CODE_VERIFIER'
RestClient.post 'https://gitlab.example.com/oauth/token', parameters

Instead, it should have the secret removed. I have also validated that this works in an SPA I'm developing.

parameters = 'client_id=APP_ID&code=RETURNED_CODE&grant_type=authorization_code&redirect_uri=REDIRECT_URI&code_verifier=CODE_VERIFIER'
RestClient.post 'https://gitlab.example.com/oauth/token', parameters

It seems a similar problem exists with point 3, for token refreshes.

Should I submit a PR to the documentation on this point, or is there more context I'm missing?