Does PKCE replace client-secrets?


This is a more direct “yes” or “no” question to the following

PKCE vs Client Secret

What is the purpose of the OAuth2 client secret?

Does PKCE replace state in the Authorization Code OAuth flow?

I am assuming the answer is “yes” based on the above so only the client_id is needed and the secret generation is managed by the client through their code verifiers. Though if that were the case why would Google still use client secrets for their OAuth 2.0 Client IDs (unless they’re equivalent of secret-less client IDs are the API Keys which I haven’t verified to be their PKCE)