diff --git a/server/handlers.go b/server/handlers.go
index 3ad44b2b..49b8b624 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -763,8 +763,8 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
 	grantType := r.PostFormValue("grant_type")
 	codeVerifier := r.PostFormValue("code_verifier")
 
-	if grantType == grantTypeAuthorizationCode && codeVerifier != "" && clientSecret == "" {
-		// RFC 7636 (PKCE) if code_verifier is received, use PKCE and allow empty clientSecret
+	if client.Public && grantType == grantTypeAuthorizationCode && codeVerifier != "" && clientSecret == "" {
+		// RFC 7636 (PKCE) if code_verifier is received, use PKCE and allow empty clientSecret, when client is public
 	} else if client.Secret != clientSecret {
 		s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
 		return