diff --git a/embedx/config.schema.json b/embedx/config.schema.json
index b7f0c468a96..119ed3766fc 100644
--- a/embedx/config.schema.json
+++ b/embedx/config.schema.json
@@ -567,6 +567,13 @@
           "enum": ["id_token", "userinfo"],
           "default": "id_token",
           "examples": ["id_token", "userinfo"]
+        },
+        "pkce": {
+          "title": "Proof Key for Code Exchange",
+          "description": "PKCE controls if the OpenID Connect OAuth2 flow should use PKCE (Proof Key for Code Exchange). IMPORTANT: If you set this to `force`, you must whitelist a different return URL for your OAuth2 client in the provider's configuration. Instead of <base-url>/self-service/methods/oidc/callback/<provider>, you must use <base-url>/self-service/methods/oidc/callback",
+          "type": "string",
+          "enum": ["auto", "never", "force"],
+          "default": "auto"
         }
       },
       "additionalProperties": false,