diff --git a/AppAuth.podspec b/AppAuth.podspec
index b175e6282..393dad42a 100644
--- a/AppAuth.podspec
+++ b/AppAuth.podspec
@@ -1,7 +1,7 @@
 Pod::Spec.new do |s|
 
   s.name         = "AppAuth"
-  s.version      = "1.6.2"
+  s.version      = "1.7.3"
   s.summary      = "AppAuth for iOS and macOS is a client SDK for communicating with OAuth 2.0 and OpenID Connect providers."
 
   s.description  = <<-DESC
@@ -43,30 +43,33 @@ It follows the OAuth 2.0 for Native Apps best current practice
 
   # Subspec for the core AppAuth library classes only, suitable for extensions.
   s.subspec 'Core' do |core|
-     core.source_files = "Source/AppAuthCore.h", "Source/AppAuthCore/*.{h,m}"
+     core.source_files = "Sources/AppAuthCore.h", "Sources/AppAuthCore/*.{h,m}"
+     core.resource_bundles = {
+       "AppAuthCore_Privacy" => ["Sources/AppAuthCore/Resources/PrivacyInfo.xcprivacy"]
+     }
   end
 
-  # Subspec for the full AppAuth library, including platform-dependant external user agents.
+  # Subspec for the full AppAuth library, including platform-dependent external user agents.
   s.subspec 'ExternalUserAgent' do |externalUserAgent|
     externalUserAgent.dependency 'AppAuth/Core'
     
-    externalUserAgent.source_files = "Source/AppAuth.h", "Source/AppAuth/*.{h,m}"
+    externalUserAgent.source_files = "Sources/AppAuth.h", "Sources/AppAuth/*.{h,m}"
     
     # iOS
-    externalUserAgent.ios.source_files      = "Source/AppAuth/iOS/**/*.{h,m}"
+    externalUserAgent.ios.source_files      = "Sources/AppAuth/iOS/**/*.{h,m}"
     externalUserAgent.ios.deployment_target = ios_deployment_target
     externalUserAgent.ios.frameworks        = "SafariServices"
     externalUserAgent.ios.weak_frameworks   = "AuthenticationServices"
 
     # macOS
-    externalUserAgent.osx.source_files      = "Source/AppAuth/macOS/**/*.{h,m}"
+    externalUserAgent.osx.source_files      = "Sources/AppAuth/macOS/**/*.{h,m}"
     externalUserAgent.osx.deployment_target = osx_deployment_target
     externalUserAgent.osx.weak_frameworks   = "AuthenticationServices"
   end
   
-  # Subspec for the full AppAuth library, including platform-dependant external user agents.
+  # Subspec for the full AppAuth library, including platform-dependent external user agents.
   s.subspec 'TV' do |tv|
-    tv.source_files = "Source/AppAuthTV.h", "Source/AppAuthTV/*.{h,m}"
+    tv.source_files = "Sources/AppAuthTV.h", "Sources/AppAuthTV/*.{h,m}"
     tv.dependency 'AppAuth/Core'
   end
 
diff --git a/AppAuth.xcodeproj/project.pbxproj b/AppAuth.xcodeproj/project.pbxproj
index 08e6f28a1..8d770d93c 100644
--- a/AppAuth.xcodeproj/project.pbxproj
+++ b/AppAuth.xcodeproj/project.pbxproj
@@ -546,6 +546,12 @@
 		60140F801DE4344200DA0DC3 /* OIDRegistrationResponse.m in Sources */ = {isa = PBXBuildFile; fileRef = 60140F7F1DE4344200DA0DC3 /* OIDRegistrationResponse.m */; };
 		60140F831DE43BAF00DA0DC3 /* OIDRegistrationRequestTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 60140F821DE43BAF00DA0DC3 /* OIDRegistrationRequestTests.m */; };
 		60140F861DE43CC700DA0DC3 /* OIDRegistrationResponseTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 60140F851DE43CC700DA0DC3 /* OIDRegistrationResponseTests.m */; };
+		73F574342B7C42690023FFF0 /* PrivacyInfo.xcprivacy in Resources */ = {isa = PBXBuildFile; fileRef = 73F574332B7C42690023FFF0 /* PrivacyInfo.xcprivacy */; };
+		73F574352B7C42690023FFF0 /* PrivacyInfo.xcprivacy in Resources */ = {isa = PBXBuildFile; fileRef = 73F574332B7C42690023FFF0 /* PrivacyInfo.xcprivacy */; };
+		73F574362B7C42690023FFF0 /* PrivacyInfo.xcprivacy in Resources */ = {isa = PBXBuildFile; fileRef = 73F574332B7C42690023FFF0 /* PrivacyInfo.xcprivacy */; };
+		73F574372B7C42690023FFF0 /* PrivacyInfo.xcprivacy in Resources */ = {isa = PBXBuildFile; fileRef = 73F574332B7C42690023FFF0 /* PrivacyInfo.xcprivacy */; };
+		73F574382B7C42690023FFF0 /* PrivacyInfo.xcprivacy in Resources */ = {isa = PBXBuildFile; fileRef = 73F574332B7C42690023FFF0 /* PrivacyInfo.xcprivacy */; };
+		73F574392B7C42690023FFF0 /* PrivacyInfo.xcprivacy in Resources */ = {isa = PBXBuildFile; fileRef = 73F574332B7C42690023FFF0 /* PrivacyInfo.xcprivacy */; };
 		A5EEF29720D821120044F470 /* OIDTokenUtilitiesTests.m in Sources */ = {isa = PBXBuildFile; fileRef = A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */; };
 		A5EEF29820D8211A0044F470 /* OIDTokenUtilitiesTests.m in Sources */ = {isa = PBXBuildFile; fileRef = A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */; };
 		A5EEF29920D8211B0044F470 /* OIDTokenUtilitiesTests.m in Sources */ = {isa = PBXBuildFile; fileRef = A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */; };
@@ -827,6 +833,7 @@
 		60140F821DE43BAF00DA0DC3 /* OIDRegistrationRequestTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OIDRegistrationRequestTests.m; sourceTree = "<group>"; };
 		60140F841DE43C8C00DA0DC3 /* OIDRegistrationResponseTests.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = OIDRegistrationResponseTests.h; sourceTree = "<group>"; };
 		60140F851DE43CC700DA0DC3 /* OIDRegistrationResponseTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OIDRegistrationResponseTests.m; sourceTree = "<group>"; };
+		73F574332B7C42690023FFF0 /* PrivacyInfo.xcprivacy */ = {isa = PBXFileReference; lastKnownFileType = text.xml; path = PrivacyInfo.xcprivacy; sourceTree = "<group>"; };
 		A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = OIDTokenUtilitiesTests.m; sourceTree = "<group>"; };
 		A6CEB1172007E384009D492A /* OIDEndSessionRequestTests.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OIDEndSessionRequestTests.h; sourceTree = "<group>"; };
 		A6CEB1182007E384009D492A /* OIDEndSessionRequestTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OIDEndSessionRequestTests.m; sourceTree = "<group>"; };
@@ -993,6 +1000,7 @@
 		2D47AAD7249A86E30059B5A4 /* AppAuthTV */ = {
 			isa = PBXGroup;
 			children = (
+				7322C49B2BA20BFA00DF9B2F /* Resources */,
 				2D47AAD9249A87010059B5A4 /* OIDTVAuthorizationRequest.h */,
 				2D47AADD249A87010059B5A4 /* OIDTVAuthorizationRequest.m */,
 				2D47AADC249A87010059B5A4 /* OIDTVAuthorizationResponse.h */,
@@ -1050,7 +1058,7 @@
 			children = (
 				341742291C5D84D0000EF209 /* Frameworks */,
 				341741FB1C5D82D3000EF209 /* UnitTests */,
-				341741AE1C5D8243000EF209 /* Source */,
+				341741AE1C5D8243000EF209 /* Sources */,
 				340E737D1C5D819B0076B1F6 /* Products */,
 			);
 			indentWidth = 2;
@@ -1082,7 +1090,7 @@
 			name = Products;
 			sourceTree = "<group>";
 		};
-		341741AE1C5D8243000EF209 /* Source */ = {
+		341741AE1C5D8243000EF209 /* Sources */ = {
 			isa = PBXGroup;
 			children = (
 				348970992178F40600ABEED4 /* CoreFramework */,
@@ -1095,7 +1103,7 @@
 				3489709E21791B0C00ABEED4 /* AppAuthCore.h */,
 				2D47AADB249A87010059B5A4 /* AppAuthTV.h */,
 			);
-			path = Source;
+			path = Sources;
 			sourceTree = "<group>";
 		};
 		341741FB1C5D82D3000EF209 /* UnitTests */ = {
@@ -1176,9 +1184,32 @@
 			path = LoopbackHTTPServer;
 			sourceTree = "<group>";
 		};
+		7322C4992BA2095100DF9B2F /* Resources */ = {
+			isa = PBXGroup;
+			children = (
+				73F574332B7C42690023FFF0 /* PrivacyInfo.xcprivacy */,
+			);
+			path = Resources;
+			sourceTree = "<group>";
+		};
+		7322C49A2BA20BEF00DF9B2F /* Resources */ = {
+			isa = PBXGroup;
+			children = (
+			);
+			path = Resources;
+			sourceTree = "<group>";
+		};
+		7322C49B2BA20BFA00DF9B2F /* Resources */ = {
+			isa = PBXGroup;
+			children = (
+			);
+			path = Resources;
+			sourceTree = "<group>";
+		};
 		8A9B9D5E24561EC40055353E /* AppAuthCore */ = {
 			isa = PBXGroup;
 			children = (
+				7322C4992BA2095100DF9B2F /* Resources */,
 				341741B41C5D8243000EF209 /* OIDAuthorizationRequest.h */,
 				341741B51C5D8243000EF209 /* OIDAuthorizationRequest.m */,
 				341741B61C5D8243000EF209 /* OIDAuthorizationResponse.h */,
@@ -1240,6 +1271,7 @@
 		8A9B9D632456227D0055353E /* AppAuth */ = {
 			isa = PBXGroup;
 			children = (
+				7322C49A2BA20BEF00DF9B2F /* Resources */,
 				340DAE241D581FE700EC285B /* macOS */,
 				F6F60FAF1D2BFEF000325CB3 /* iOS */,
 			);
@@ -1937,6 +1969,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				73F574392B7C42690023FFF0 /* PrivacyInfo.xcprivacy in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -1965,6 +1998,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				73F574382B7C42690023FFF0 /* PrivacyInfo.xcprivacy in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -1972,6 +2006,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				73F574342B7C42690023FFF0 /* PrivacyInfo.xcprivacy in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -1986,6 +2021,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				73F574352B7C42690023FFF0 /* PrivacyInfo.xcprivacy in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -1993,6 +2029,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				73F574362B7C42690023FFF0 /* PrivacyInfo.xcprivacy in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -2007,6 +2044,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				73F574372B7C42690023FFF0 /* PrivacyInfo.xcprivacy in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -2654,7 +2692,7 @@
 					"DEBUG=1",
 					"$(inherited)",
 				);
-				INFOPLIST_FILE = "$(SRCROOT)/Source/TVFramework/Info.plist";
+				INFOPLIST_FILE = Sources/TVFramework/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Frameworks";
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks";
 				MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE;
@@ -2686,7 +2724,7 @@
 				DYLIB_CURRENT_VERSION = 1;
 				DYLIB_INSTALL_NAME_BASE = "@rpath";
 				GCC_C_LANGUAGE_STANDARD = gnu11;
-				INFOPLIST_FILE = "$(SRCROOT)/Source/TVFramework/Info.plist";
+				INFOPLIST_FILE = Sources/TVFramework/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Frameworks";
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks";
 				MTL_FAST_MATH = YES;
@@ -2998,7 +3036,7 @@
 				DYLIB_COMPATIBILITY_VERSION = 1;
 				DYLIB_CURRENT_VERSION = 1;
 				DYLIB_INSTALL_NAME_BASE = "@rpath";
-				INFOPLIST_FILE = Source/CoreFramework/Info.plist;
+				INFOPLIST_FILE = Sources/CoreFramework/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Frameworks";
 				IPHONEOS_DEPLOYMENT_TARGET = 9.0;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks";
@@ -3024,7 +3062,7 @@
 				DYLIB_COMPATIBILITY_VERSION = 1;
 				DYLIB_CURRENT_VERSION = 1;
 				DYLIB_INSTALL_NAME_BASE = "@rpath";
-				INFOPLIST_FILE = Source/CoreFramework/Info.plist;
+				INFOPLIST_FILE = Sources/CoreFramework/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Frameworks";
 				IPHONEOS_DEPLOYMENT_TARGET = 9.0;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks";
@@ -3049,7 +3087,7 @@
 				DYLIB_COMPATIBILITY_VERSION = 1;
 				DYLIB_CURRENT_VERSION = 1;
 				DYLIB_INSTALL_NAME_BASE = "@rpath";
-				INFOPLIST_FILE = Source/Framework/Info.plist;
+				INFOPLIST_FILE = Sources/Framework/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Frameworks";
 				IPHONEOS_DEPLOYMENT_TARGET = 9.0;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks";
@@ -3074,7 +3112,7 @@
 				DYLIB_COMPATIBILITY_VERSION = 1;
 				DYLIB_CURRENT_VERSION = 1;
 				DYLIB_INSTALL_NAME_BASE = "@rpath";
-				INFOPLIST_FILE = Source/Framework/Info.plist;
+				INFOPLIST_FILE = Sources/Framework/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Frameworks";
 				IPHONEOS_DEPLOYMENT_TARGET = 9.0;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks";
@@ -3128,7 +3166,7 @@
 				DYLIB_COMPATIBILITY_VERSION = 1;
 				DYLIB_CURRENT_VERSION = 1;
 				DYLIB_INSTALL_NAME_BASE = "@rpath";
-				INFOPLIST_FILE = Source/Framework/Info.plist;
+				INFOPLIST_FILE = Sources/Framework/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Frameworks";
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks";
 				PRODUCT_BUNDLE_IDENTIFIER = "net.openid.AppAuth-watchOS";
@@ -3154,7 +3192,7 @@
 				DYLIB_COMPATIBILITY_VERSION = 1;
 				DYLIB_CURRENT_VERSION = 1;
 				DYLIB_INSTALL_NAME_BASE = "@rpath";
-				INFOPLIST_FILE = Source/Framework/Info.plist;
+				INFOPLIST_FILE = Sources/Framework/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Frameworks";
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks";
 				PRODUCT_BUNDLE_IDENTIFIER = "net.openid.AppAuth-watchOS";
@@ -3179,7 +3217,7 @@
 				DYLIB_COMPATIBILITY_VERSION = 1;
 				DYLIB_CURRENT_VERSION = 1;
 				DYLIB_INSTALL_NAME_BASE = "@rpath";
-				INFOPLIST_FILE = Source/Framework/Info.plist;
+				INFOPLIST_FILE = Sources/Framework/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Frameworks";
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks";
 				PRODUCT_BUNDLE_IDENTIFIER = "net.openid.AppAuth-tvOS";
@@ -3204,7 +3242,7 @@
 				DYLIB_COMPATIBILITY_VERSION = 1;
 				DYLIB_CURRENT_VERSION = 1;
 				DYLIB_INSTALL_NAME_BASE = "@rpath";
-				INFOPLIST_FILE = Source/Framework/Info.plist;
+				INFOPLIST_FILE = Sources/Framework/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Frameworks";
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks";
 				PRODUCT_BUNDLE_IDENTIFIER = "net.openid.AppAuth-tvOS";
@@ -3261,7 +3299,7 @@
 				DYLIB_CURRENT_VERSION = 1;
 				DYLIB_INSTALL_NAME_BASE = "@rpath";
 				FRAMEWORK_VERSION = A;
-				INFOPLIST_FILE = Source/Framework/Info.plist;
+				INFOPLIST_FILE = Sources/Framework/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Frameworks";
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks @loader_path/Frameworks";
 				PRODUCT_BUNDLE_IDENTIFIER = "net.openid.AppAuth-macOS";
@@ -3286,7 +3324,7 @@
 				DYLIB_CURRENT_VERSION = 1;
 				DYLIB_INSTALL_NAME_BASE = "@rpath";
 				FRAMEWORK_VERSION = A;
-				INFOPLIST_FILE = Source/Framework/Info.plist;
+				INFOPLIST_FILE = Sources/Framework/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Frameworks";
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks @loader_path/Frameworks";
 				PRODUCT_BUNDLE_IDENTIFIER = "net.openid.AppAuth-macOS";
diff --git a/AppAuth.xcodeproj/xcshareddata/xcschemes/AppAuth-iOS.xcscheme b/AppAuth.xcodeproj/xcshareddata/xcschemes/AppAuth-iOS.xcscheme
index 5c03fe8e1..d2886e5ea 100644
--- a/AppAuth.xcodeproj/xcshareddata/xcschemes/AppAuth-iOS.xcscheme
+++ b/AppAuth.xcodeproj/xcshareddata/xcschemes/AppAuth-iOS.xcscheme
@@ -27,6 +27,15 @@
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
       shouldUseLaunchSchemeArgsEnv = "YES">
+      <MacroExpansion>
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "340E737B1C5D819B0076B1F6"
+            BuildableName = "libAppAuth-iOS.a"
+            BlueprintName = "AppAuth-iOS"
+            ReferencedContainer = "container:AppAuth.xcodeproj">
+         </BuildableReference>
+      </MacroExpansion>
       <Testables>
          <TestableReference
             skipped = "NO">
@@ -39,17 +48,6 @@
             </BuildableReference>
          </TestableReference>
       </Testables>
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "340E737B1C5D819B0076B1F6"
-            BuildableName = "libAppAuth-iOS.a"
-            BlueprintName = "AppAuth-iOS"
-            ReferencedContainer = "container:AppAuth.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-      <AdditionalOptions>
-      </AdditionalOptions>
    </TestAction>
    <LaunchAction
       buildConfiguration = "Debug"
@@ -70,8 +68,6 @@
             ReferencedContainer = "container:AppAuth.xcodeproj">
          </BuildableReference>
       </MacroExpansion>
-      <AdditionalOptions>
-      </AdditionalOptions>
    </LaunchAction>
    <ProfileAction
       buildConfiguration = "Release"
diff --git a/AppAuth.xcodeproj/xcshareddata/xcschemes/AppAuth-macOS.xcscheme b/AppAuth.xcodeproj/xcshareddata/xcschemes/AppAuth-macOS.xcscheme
index aa261aca6..74b33a822 100644
--- a/AppAuth.xcodeproj/xcshareddata/xcschemes/AppAuth-macOS.xcscheme
+++ b/AppAuth.xcodeproj/xcshareddata/xcschemes/AppAuth-macOS.xcscheme
@@ -27,6 +27,15 @@
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
       shouldUseLaunchSchemeArgsEnv = "YES">
+      <MacroExpansion>
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "340DAE4D1D58216A00EC285B"
+            BuildableName = "libAppAuth-macOS.a"
+            BlueprintName = "AppAuth-macOS"
+            ReferencedContainer = "container:AppAuth.xcodeproj">
+         </BuildableReference>
+      </MacroExpansion>
       <Testables>
          <TestableReference
             skipped = "NO">
@@ -39,17 +48,6 @@
             </BuildableReference>
          </TestableReference>
       </Testables>
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "340DAE4D1D58216A00EC285B"
-            BuildableName = "libAppAuth-macOS.a"
-            BlueprintName = "AppAuth-macOS"
-            ReferencedContainer = "container:AppAuth.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-      <AdditionalOptions>
-      </AdditionalOptions>
    </TestAction>
    <LaunchAction
       buildConfiguration = "Debug"
@@ -70,8 +68,6 @@
             ReferencedContainer = "container:AppAuth.xcodeproj">
          </BuildableReference>
       </MacroExpansion>
-      <AdditionalOptions>
-      </AdditionalOptions>
    </LaunchAction>
    <ProfileAction
       buildConfiguration = "Release"
diff --git a/AppAuth.xcodeproj/xcshareddata/xcschemes/AppAuth-tvOS.xcscheme b/AppAuth.xcodeproj/xcshareddata/xcschemes/AppAuth-tvOS.xcscheme
index da45e3e3d..1bd405e2c 100644
--- a/AppAuth.xcodeproj/xcshareddata/xcschemes/AppAuth-tvOS.xcscheme
+++ b/AppAuth.xcodeproj/xcshareddata/xcschemes/AppAuth-tvOS.xcscheme
@@ -27,6 +27,15 @@
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
       shouldUseLaunchSchemeArgsEnv = "YES">
+      <MacroExpansion>
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "341E707D1DE18744004353C1"
+            BuildableName = "libAppAuth-tvOS.a"
+            BlueprintName = "AppAuth-tvOS"
+            ReferencedContainer = "container:AppAuth.xcodeproj">
+         </BuildableReference>
+      </MacroExpansion>
       <Testables>
          <TestableReference
             skipped = "NO">
@@ -39,17 +48,6 @@
             </BuildableReference>
          </TestableReference>
       </Testables>
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "341E707D1DE18744004353C1"
-            BuildableName = "libAppAuth-tvOS.a"
-            BlueprintName = "AppAuth-tvOS"
-            ReferencedContainer = "container:AppAuth.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-      <AdditionalOptions>
-      </AdditionalOptions>
    </TestAction>
    <LaunchAction
       buildConfiguration = "Debug"
@@ -70,8 +68,6 @@
             ReferencedContainer = "container:AppAuth.xcodeproj">
          </BuildableReference>
       </MacroExpansion>
-      <AdditionalOptions>
-      </AdditionalOptions>
    </LaunchAction>
    <ProfileAction
       buildConfiguration = "Release"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index b682c8a8b..6411e5afb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,19 @@
+# 1.7.3
+- Fix missing manifest in bundle using SPM ([#833](https://github.com/openid/AppAuth-iOS/pull/833))
+
+# 1.7.2
+ - Streamline copying of privacy manifest ([#830](https://github.com/openid/AppAuth-iOS/pull/830))
+
+# 1.7.1
+- Add back missing method to OIDAuthorizationResponse ([#825](https://github.com/openid/AppAuth-iOS/pull/825))
+- Fix OIDTokenRequest for AppAuthCore and AppAuthTV ([#826](https://github.com/openid/AppAuth-iOS/pull/826))
+
+# 1.7.0
+- Introduce addtional http headers to OIDTokenRequest ([#770](https://github.com/openid/AppAuth-iOS/pull/770))
+- Fix nullability annotation for -[OIDExternalUserAgentIOS init] ([#727](https://github.com/openid/AppAuth-iOS/pull/727))
+- Feat: allow custom nonce in OIDAuthorizationRequest ([#788](https://github.com/openid/AppAuth-iOS/pull/788))
+- Add privacy manifest ([#822](https://github.com/openid/AppAuth-iOS/pull/822))
+
 # 1.6.2
 - Increased minimum iOS and macOS versions to 9.0 and 10.12 respectively to fix [framework build issue](https://github.com/openid/AppAuth-iOS/issues/765)
 
diff --git a/Examples/Example-iOS_ObjC-Carthage/Source/AppAuthExampleViewController.m b/Examples/Example-iOS_ObjC-Carthage/Source/AppAuthExampleViewController.m
index dc76a8c9c..4d58cf9d2 100644
--- a/Examples/Example-iOS_ObjC-Carthage/Source/AppAuthExampleViewController.m
+++ b/Examples/Example-iOS_ObjC-Carthage/Source/AppAuthExampleViewController.m
@@ -177,7 +177,8 @@ - (void)doClientRegistration:(OIDServiceConfiguration *)configuration
                                                    grantTypes:nil
                                                   subjectType:nil
                                       tokenEndpointAuthMethod:@"client_secret_post"
-                                         additionalParameters:nil];
+                                         additionalParameters:nil
+                                            additionalHeaders:nil];
     // performs registration request
     [self logMessage:@"Initiating registration request"];
 
diff --git a/Examples/Example-iOS_ObjC/Example-iOS_ObjC.xcodeproj/project.pbxproj b/Examples/Example-iOS_ObjC/Example-iOS_ObjC.xcodeproj/project.pbxproj
index eb38b576d..7f3f2de68 100644
--- a/Examples/Example-iOS_ObjC/Example-iOS_ObjC.xcodeproj/project.pbxproj
+++ b/Examples/Example-iOS_ObjC/Example-iOS_ObjC.xcodeproj/project.pbxproj
@@ -19,8 +19,8 @@
 		346E91991C2A245000D3620B /* SafariServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 346E91981C2A245000D3620B /* SafariServices.framework */; };
 		34CB09BD1C42007600A54261 /* AppAuthExampleViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 34CB09BB1C42007600A54261 /* AppAuthExampleViewController.m */; };
 		34CB09BE1C42007600A54261 /* AppAuthExampleViewController.xib in Resources */ = {isa = PBXBuildFile; fileRef = 34CB09BC1C42007600A54261 /* AppAuthExampleViewController.xib */; };
-		D0B5FA33D74A6F7924A47471 /* libPods-Example-iOS_ObjC_Extension.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 715EDB7EC4271193E47615ED /* libPods-Example-iOS_ObjC_Extension.a */; };
-		E46F8589CE9E5DDFA69D835B /* libPods-Example-iOS_ObjC.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 8B61A918CBE7B8142CD7D8B3 /* libPods-Example-iOS_ObjC.a */; };
+		BE28448F8FD76A9C12A30150 /* Pods_Example_iOS_ObjC_Extension.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 3CC004951DF03519C52500EC /* Pods_Example_iOS_ObjC_Extension.framework */; };
+		C46B36D00F282572B5747D71 /* Pods_Example_iOS_ObjC.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 43D84745AE558B974A2E64F7 /* Pods_Example_iOS_ObjC.framework */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
@@ -81,9 +81,9 @@
 		34CB09BB1C42007600A54261 /* AppAuthExampleViewController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = AppAuthExampleViewController.m; sourceTree = "<group>"; };
 		34CB09BC1C42007600A54261 /* AppAuthExampleViewController.xib */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = file.xib; path = AppAuthExampleViewController.xib; sourceTree = "<group>"; };
 		3A18DF082AC2FA0980C9DE57 /* Pods-Example-iOS_ObjC_Extension.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Example-iOS_ObjC_Extension.release.xcconfig"; path = "Pods/Target Support Files/Pods-Example-iOS_ObjC_Extension/Pods-Example-iOS_ObjC_Extension.release.xcconfig"; sourceTree = "<group>"; };
-		715EDB7EC4271193E47615ED /* libPods-Example-iOS_ObjC_Extension.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-Example-iOS_ObjC_Extension.a"; sourceTree = BUILT_PRODUCTS_DIR; };
+		3CC004951DF03519C52500EC /* Pods_Example_iOS_ObjC_Extension.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Pods_Example_iOS_ObjC_Extension.framework; sourceTree = BUILT_PRODUCTS_DIR; };
+		43D84745AE558B974A2E64F7 /* Pods_Example_iOS_ObjC.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Pods_Example_iOS_ObjC.framework; sourceTree = BUILT_PRODUCTS_DIR; };
 		86C7660572AE6FF7A4D1592A /* Pods-Example-iOS_ObjC_Extension.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Example-iOS_ObjC_Extension.debug.xcconfig"; path = "Pods/Target Support Files/Pods-Example-iOS_ObjC_Extension/Pods-Example-iOS_ObjC_Extension.debug.xcconfig"; sourceTree = "<group>"; };
-		8B61A918CBE7B8142CD7D8B3 /* libPods-Example-iOS_ObjC.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-Example-iOS_ObjC.a"; sourceTree = BUILT_PRODUCTS_DIR; };
 		C4C31DB4A4928F246AA03805 /* Pods-Example.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Example.release.xcconfig"; path = "Pods/Target Support Files/Pods-Example/Pods-Example.release.xcconfig"; sourceTree = "<group>"; };
 		D9867DC6FA9089CD613D4728 /* Pods-Example.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Example.debug.xcconfig"; path = "Pods/Target Support Files/Pods-Example/Pods-Example.debug.xcconfig"; sourceTree = "<group>"; };
 		ECBCCC4A1A779C83C72044F2 /* Pods-Example-iOS_ObjC.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Example-iOS_ObjC.release.xcconfig"; path = "Pods/Target Support Files/Pods-Example-iOS_ObjC/Pods-Example-iOS_ObjC.release.xcconfig"; sourceTree = "<group>"; };
@@ -95,7 +95,7 @@
 			buildActionMask = 2147483647;
 			files = (
 				06D4812F2055C3D400D9DC32 /* NotificationCenter.framework in Frameworks */,
-				D0B5FA33D74A6F7924A47471 /* libPods-Example-iOS_ObjC_Extension.a in Frameworks */,
+				BE28448F8FD76A9C12A30150 /* Pods_Example_iOS_ObjC_Extension.framework in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -111,7 +111,7 @@
 			buildActionMask = 2147483647;
 			files = (
 				346E91991C2A245000D3620B /* SafariServices.framework in Frameworks */,
-				E46F8589CE9E5DDFA69D835B /* libPods-Example-iOS_ObjC.a in Frameworks */,
+				C46B36D00F282572B5747D71 /* Pods_Example_iOS_ObjC.framework in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -145,9 +145,9 @@
 				3474C8DD1DFCB08E00F22B34 /* libAppAuth-iOS.a */,
 				346E91981C2A245000D3620B /* SafariServices.framework */,
 				09795EAF079B07A1781675D9 /* libPods-Example.a */,
-				8B61A918CBE7B8142CD7D8B3 /* libPods-Example-iOS_ObjC.a */,
 				06D4812E2055C3D400D9DC32 /* NotificationCenter.framework */,
-				715EDB7EC4271193E47615ED /* libPods-Example-iOS_ObjC_Extension.a */,
+				43D84745AE558B974A2E64F7 /* Pods_Example_iOS_ObjC.framework */,
+				3CC004951DF03519C52500EC /* Pods_Example_iOS_ObjC_Extension.framework */,
 			);
 			name = Frameworks;
 			sourceTree = "<group>";
@@ -252,6 +252,7 @@
 				346E91661C29D42800D3620B /* Frameworks */,
 				346E91671C29D42800D3620B /* Resources */,
 				06D4813E2055C3D400D9DC32 /* Embed App Extensions */,
+				0B7CB92A32140E833CA8FF89 /* [CP] Embed Pods Frameworks */,
 			);
 			buildRules = (
 			);
@@ -301,6 +302,7 @@
 			developmentRegion = English;
 			hasScannedForEncodings = 0;
 			knownRegions = (
+				English,
 				en,
 				Base,
 			);
@@ -345,6 +347,24 @@
 /* End PBXResourcesBuildPhase section */
 
 /* Begin PBXShellScriptBuildPhase section */
+		0B7CB92A32140E833CA8FF89 /* [CP] Embed Pods Frameworks */ = {
+			isa = PBXShellScriptBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+			);
+			inputPaths = (
+				"${PODS_ROOT}/Target Support Files/Pods-Example-iOS_ObjC/Pods-Example-iOS_ObjC-frameworks.sh",
+				"${BUILT_PRODUCTS_DIR}/AppAuth/AppAuth.framework",
+			);
+			name = "[CP] Embed Pods Frameworks";
+			outputPaths = (
+				"${TARGET_BUILD_DIR}/${FRAMEWORKS_FOLDER_PATH}/AppAuth.framework",
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+			shellPath = /bin/sh;
+			shellScript = "\"${PODS_ROOT}/Target Support Files/Pods-Example-iOS_ObjC/Pods-Example-iOS_ObjC-frameworks.sh\"\n";
+			showEnvVarsInLog = 0;
+		};
 		836219F293F319703A16E68D /* [CP] Check Pods Manifest.lock */ = {
 			isa = PBXShellScriptBuildPhase;
 			buildActionMask = 2147483647;
@@ -468,7 +488,7 @@
 				DEVELOPMENT_TEAM = "";
 				GCC_C_LANGUAGE_STANDARD = gnu11;
 				INFOPLIST_FILE = "Example-iOS_ObjC_Extension/Info.plist";
-				IPHONEOS_DEPLOYMENT_TARGET = 8.0;
+				IPHONEOS_DEPLOYMENT_TARGET = 9.0;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @executable_path/../../Frameworks";
 				PRODUCT_BUNDLE_IDENTIFIER = "net.openid.appauth.Example.Example-iOS-ObjC-Extension";
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -500,7 +520,7 @@
 				DEVELOPMENT_TEAM = "";
 				GCC_C_LANGUAGE_STANDARD = gnu11;
 				INFOPLIST_FILE = "Example-iOS_ObjC_Extension/Info.plist";
-				IPHONEOS_DEPLOYMENT_TARGET = 8.0;
+				IPHONEOS_DEPLOYMENT_TARGET = 9.0;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @executable_path/../../Frameworks";
 				PRODUCT_BUNDLE_IDENTIFIER = "net.openid.appauth.Example.Example-iOS-ObjC-Extension";
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -520,7 +540,7 @@
 				"CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer";
 				DEVELOPMENT_TEAM = "";
 				INFOPLIST_FILE = Tests/Info.plist;
-				IPHONEOS_DEPLOYMENT_TARGET = 10.2;
+				IPHONEOS_DEPLOYMENT_TARGET = 9.0;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks";
 				PRODUCT_BUNDLE_IDENTIFIER = net.openid.AppAuthExampleTests;
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -539,7 +559,7 @@
 				"CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer";
 				DEVELOPMENT_TEAM = "";
 				INFOPLIST_FILE = Tests/Info.plist;
-				IPHONEOS_DEPLOYMENT_TARGET = 10.2;
+				IPHONEOS_DEPLOYMENT_TARGET = 9.0;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks";
 				PRODUCT_BUNDLE_IDENTIFIER = net.openid.AppAuthExampleTests;
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -642,7 +662,7 @@
 				CODE_SIGN_IDENTITY = "iPhone Developer";
 				DEVELOPMENT_TEAM = "";
 				INFOPLIST_FILE = Source/Info.plist;
-				IPHONEOS_DEPLOYMENT_TARGET = 7.0;
+				IPHONEOS_DEPLOYMENT_TARGET = 9.0;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks";
 				PRODUCT_BUNDLE_IDENTIFIER = net.openid.appauth.Example;
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -658,7 +678,7 @@
 				CODE_SIGN_IDENTITY = "iPhone Developer";
 				DEVELOPMENT_TEAM = "";
 				INFOPLIST_FILE = Source/Info.plist;
-				IPHONEOS_DEPLOYMENT_TARGET = 7.0;
+				IPHONEOS_DEPLOYMENT_TARGET = 9.0;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks";
 				PRODUCT_BUNDLE_IDENTIFIER = net.openid.appauth.Example;
 				PRODUCT_NAME = "$(TARGET_NAME)";
diff --git a/Examples/Example-iOS_ObjC/Podfile b/Examples/Example-iOS_ObjC/Podfile
index a4354d010..600de7d10 100644
--- a/Examples/Example-iOS_ObjC/Podfile
+++ b/Examples/Example-iOS_ObjC/Podfile
@@ -1,4 +1,6 @@
-platform :ios, '9.0'
+platform :ios, '11.0'
+
+use_frameworks! 
 
 target 'Example-iOS_ObjC' do
   # AppAuth Pod
diff --git a/Examples/Example-iOS_ObjC/Source/AppAuthExampleViewController.m b/Examples/Example-iOS_ObjC/Source/AppAuthExampleViewController.m
index 2c3ebe03e..a4accb51b 100644
--- a/Examples/Example-iOS_ObjC/Source/AppAuthExampleViewController.m
+++ b/Examples/Example-iOS_ObjC/Source/AppAuthExampleViewController.m
@@ -179,8 +179,10 @@ - (void)doClientRegistration:(OIDServiceConfiguration *)configuration
                                                    grantTypes:nil
                                                   subjectType:nil
                                       tokenEndpointAuthMethod:@"client_secret_post"
+                                           initialAccessToken:nil
                                          additionalParameters:nil];
-    // performs registration request
+
+  // performs registration request
     [self logMessage:@"Initiating registration request"];
 
     [OIDAuthorizationService performRegistrationRequest:request
diff --git a/Examples/Example-iOS_Swift-Carthage/Source/AppAuthExampleViewController.swift b/Examples/Example-iOS_Swift-Carthage/Source/AppAuthExampleViewController.swift
index f70540472..91cf79fa4 100644
--- a/Examples/Example-iOS_Swift-Carthage/Source/AppAuthExampleViewController.swift
+++ b/Examples/Example-iOS_Swift-Carthage/Source/AppAuthExampleViewController.swift
@@ -349,7 +349,8 @@ extension AppAuthExampleViewController {
                                                                      grantTypes: nil,
                                                                      subjectType: nil,
                                                                      tokenEndpointAuthMethod: "client_secret_post",
-                                                                     additionalParameters: nil)
+                                                                     additionalParameters: nil,
+                                                                     additionalHeaders: nil)
 
         // performs registration request
         self.logMessage("Initiating registration request")
diff --git a/Examples/Example-macOS/Example-macOS.xcodeproj/project.pbxproj b/Examples/Example-macOS/Example-macOS.xcodeproj/project.pbxproj
index 8990ba02e..13bb1c957 100644
--- a/Examples/Example-macOS/Example-macOS.xcodeproj/project.pbxproj
+++ b/Examples/Example-macOS/Example-macOS.xcodeproj/project.pbxproj
@@ -156,7 +156,6 @@
 				F6016E6C1D2AC11F003497D7 /* Sources */,
 				F6016E6D1D2AC11F003497D7 /* Frameworks */,
 				F6016E6E1D2AC11F003497D7 /* Resources */,
-				52872C7E76CB3EA69F4392F7 /* [CP] Embed Pods Frameworks */,
 				1C5B2EF60536044DE119E500 /* [CP] Copy Pods Resources */,
 			);
 			buildRules = (
@@ -192,6 +191,7 @@
 			developmentRegion = English;
 			hasScannedForEncodings = 0;
 			knownRegions = (
+				English,
 				en,
 				Base,
 			);
@@ -233,28 +233,18 @@
 			files = (
 			);
 			inputPaths = (
+				"${PODS_ROOT}/Target Support Files/Pods-Example-macOS/Pods-Example-macOS-resources.sh",
+				"${PODS_CONFIGURATION_BUILD_DIR}/AppAuth/AppAuthCore_Privacy.bundle",
+				"${PODS_CONFIGURATION_BUILD_DIR}/AppAuth/AppAuthExternalUserAgent_Privacy.bundle",
 			);
 			name = "[CP] Copy Pods Resources";
 			outputPaths = (
+				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/AppAuthCore_Privacy.bundle",
+				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/AppAuthExternalUserAgent_Privacy.bundle",
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "\"${SRCROOT}/Pods/Target Support Files/Pods-Example-macOS/Pods-Example-macOS-resources.sh\"\n";
-			showEnvVarsInLog = 0;
-		};
-		52872C7E76CB3EA69F4392F7 /* [CP] Embed Pods Frameworks */ = {
-			isa = PBXShellScriptBuildPhase;
-			buildActionMask = 2147483647;
-			files = (
-			);
-			inputPaths = (
-			);
-			name = "[CP] Embed Pods Frameworks";
-			outputPaths = (
-			);
-			runOnlyForDeploymentPostprocessing = 0;
-			shellPath = /bin/sh;
-			shellScript = "\"${SRCROOT}/Pods/Target Support Files/Pods-Example-macOS/Pods-Example-macOS-frameworks.sh\"\n";
+			shellScript = "\"${PODS_ROOT}/Target Support Files/Pods-Example-macOS/Pods-Example-macOS-resources.sh\"\n";
 			showEnvVarsInLog = 0;
 		};
 		C9395BB900D0A44A3F7EB0BE /* [CP] Check Pods Manifest.lock */ = {
@@ -263,13 +253,16 @@
 			files = (
 			);
 			inputPaths = (
+				"${PODS_PODFILE_DIR_PATH}/Podfile.lock",
+				"${PODS_ROOT}/Manifest.lock",
 			);
 			name = "[CP] Check Pods Manifest.lock";
 			outputPaths = (
+				"$(DERIVED_FILE_DIR)/Pods-Example-macOS-checkManifestLockResult.txt",
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "diff \"${PODS_ROOT}/../Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n";
+			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
 			showEnvVarsInLog = 0;
 		};
 /* End PBXShellScriptBuildPhase section */
@@ -446,6 +439,7 @@
 				COMBINE_HIDPI_IMAGES = YES;
 				INFOPLIST_FILE = "$(SRCROOT)/Source/Info.plist";
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks";
+				MACOSX_DEPLOYMENT_TARGET = 10.12;
 				PRODUCT_BUNDLE_IDENTIFIER = "net.openid.appauth.Example-macOS";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
@@ -459,6 +453,7 @@
 				COMBINE_HIDPI_IMAGES = YES;
 				INFOPLIST_FILE = "$(SRCROOT)/Source/Info.plist";
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks";
+				MACOSX_DEPLOYMENT_TARGET = 10.12;
 				PRODUCT_BUNDLE_IDENTIFIER = "net.openid.appauth.Example-macOS";
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
@@ -474,6 +469,7 @@
 				341AA4C81E7F2E5000FCA5C6 /* Release */,
 			);
 			defaultConfigurationIsVisible = 0;
+			defaultConfigurationName = Release;
 		};
 		F6016E6B1D2AC11E003497D7 /* Build configuration list for PBXProject "Example-macOS" */ = {
 			isa = XCConfigurationList;
diff --git a/Examples/Example-macOS/Podfile b/Examples/Example-macOS/Podfile
index 5b8ce01ab..e0c0aced9 100644
--- a/Examples/Example-macOS/Podfile
+++ b/Examples/Example-macOS/Podfile
@@ -1,5 +1,5 @@
 target 'Example-macOS' do
-  platform :osx, '10.10'
+  platform :osx, '10.12'
 
   # AppAuth Pod
   # In production, just use `pod 'AppAuth'` without the path reference.
diff --git a/Examples/Example-tvOS/Example-tvOS.xcodeproj/project.pbxproj b/Examples/Example-tvOS/Example-tvOS.xcodeproj/project.pbxproj
index c70129f75..b2e8a7d1a 100644
--- a/Examples/Example-tvOS/Example-tvOS.xcodeproj/project.pbxproj
+++ b/Examples/Example-tvOS/Example-tvOS.xcodeproj/project.pbxproj
@@ -13,7 +13,7 @@
 		2D91B7B0248EA17D0005B197 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 2D91B7AF248EA17D0005B197 /* Assets.xcassets */; };
 		2D91B7B3248EA17D0005B197 /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 2D91B7B1248EA17D0005B197 /* LaunchScreen.storyboard */; };
 		2D91B7B6248EA17E0005B197 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 2D91B7B5248EA17E0005B197 /* main.m */; };
-		424A8D8BA4EB0A6C9FF4326A /* libPods-Example-tvOS.a in Frameworks */ = {isa = PBXBuildFile; fileRef = EEBF9489D390F9D0913AE178 /* libPods-Example-tvOS.a */; };
+		FEFBCAF105C70E934E5A4975 /* Pods_Example_tvOS.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = F58A1FCA981D60A0EA8A3E5A /* Pods_Example_tvOS.framework */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXFileReference section */
@@ -29,7 +29,7 @@
 		2D91B7B4248EA17D0005B197 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
 		2D91B7B5248EA17E0005B197 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = "<group>"; };
 		D33A601E3AA7C8647C857C08 /* Pods-Example-tvOS.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Example-tvOS.debug.xcconfig"; path = "Target Support Files/Pods-Example-tvOS/Pods-Example-tvOS.debug.xcconfig"; sourceTree = "<group>"; };
-		EEBF9489D390F9D0913AE178 /* libPods-Example-tvOS.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-Example-tvOS.a"; sourceTree = BUILT_PRODUCTS_DIR; };
+		F58A1FCA981D60A0EA8A3E5A /* Pods_Example_tvOS.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Pods_Example_tvOS.framework; sourceTree = BUILT_PRODUCTS_DIR; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -37,7 +37,7 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
-				424A8D8BA4EB0A6C9FF4326A /* libPods-Example-tvOS.a in Frameworks */,
+				FEFBCAF105C70E934E5A4975 /* Pods_Example_tvOS.framework in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -81,7 +81,7 @@
 		9CCA3BB0D6EA112455518E2C /* Frameworks */ = {
 			isa = PBXGroup;
 			children = (
-				EEBF9489D390F9D0913AE178 /* libPods-Example-tvOS.a */,
+				F58A1FCA981D60A0EA8A3E5A /* Pods_Example_tvOS.framework */,
 			);
 			name = Frameworks;
 			sourceTree = "<group>";
@@ -106,6 +106,7 @@
 				2D91B79F248EA17C0005B197 /* Sources */,
 				2D91B7A0248EA17C0005B197 /* Frameworks */,
 				2D91B7A1248EA17C0005B197 /* Resources */,
+				C86108A8D245915451E09E53 /* [CP] Embed Pods Frameworks */,
 			);
 			buildRules = (
 			);
@@ -184,6 +185,23 @@
 			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
 			showEnvVarsInLog = 0;
 		};
+		C86108A8D245915451E09E53 /* [CP] Embed Pods Frameworks */ = {
+			isa = PBXShellScriptBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+			);
+			inputFileListPaths = (
+				"${PODS_ROOT}/Target Support Files/Pods-Example-tvOS/Pods-Example-tvOS-frameworks-${CONFIGURATION}-input-files.xcfilelist",
+			);
+			name = "[CP] Embed Pods Frameworks";
+			outputFileListPaths = (
+				"${PODS_ROOT}/Target Support Files/Pods-Example-tvOS/Pods-Example-tvOS-frameworks-${CONFIGURATION}-output-files.xcfilelist",
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+			shellPath = /bin/sh;
+			shellScript = "\"${PODS_ROOT}/Target Support Files/Pods-Example-tvOS/Pods-Example-tvOS-frameworks.sh\"\n";
+			showEnvVarsInLog = 0;
+		};
 /* End PBXShellScriptBuildPhase section */
 
 /* Begin PBXSourcesBuildPhase section */
diff --git a/Examples/Example-tvOS/Example-tvOS/AppAuthTVExampleViewController.m b/Examples/Example-tvOS/Example-tvOS/AppAuthTVExampleViewController.m
index 3d461619d..1cdfb5ccf 100644
--- a/Examples/Example-tvOS/Example-tvOS/AppAuthTVExampleViewController.m
+++ b/Examples/Example-tvOS/Example-tvOS/AppAuthTVExampleViewController.m
@@ -175,7 +175,7 @@ - (void)performAuthorizationWithConfiguration:(OIDTVServiceConfiguration *)confi
       [[OIDTVAuthorizationRequest alloc] initWithConfiguration:configuration
                                                       clientId:kClientID
                                                   clientSecret:kClientSecret
-                                                        scopes:@[ OIDScopeOpenID, OIDScopeProfile ]
+                                                        scopes:@[ OIDScopeOpenID, OIDScopeProfile ] 
                                           additionalParameters:nil];
 
   OIDTVAuthorizationInitialization initBlock =
diff --git a/Examples/Example-tvOS/Podfile b/Examples/Example-tvOS/Podfile
index 979341635..3e7ac1135 100644
--- a/Examples/Example-tvOS/Podfile
+++ b/Examples/Example-tvOS/Podfile
@@ -1,5 +1,7 @@
 platform :tvos, '9.0'
 
+use_frameworks!
+
 target 'Example-tvOS' do
   # AppAuth Pod, TV subspec
   # In production, just use `pod 'AppAuth/TV'` without the path reference.
diff --git a/Package.swift b/Package.swift
index d96a602d6..208eaf467 100644
--- a/Package.swift
+++ b/Package.swift
@@ -1,4 +1,4 @@
-// swift-tools-version:5.1
+// swift-tools-version:5.3
 // The swift-tools-version declares the minimum version of Swift required to build this package.
 import PackageDescription
 
@@ -43,14 +43,16 @@ let package = Package(
     targets: [
         .target(
             name: "AppAuthCore",
-            path: "Source/AppAuthCore",
+            path: "Sources/AppAuthCore",
+            resources: [.copy("Resources/PrivacyInfo.xcprivacy")],
             publicHeadersPath: ""
         ),
         .target(
             name: "AppAuth",
             dependencies: ["AppAuthCore"],
-            path: "Source/AppAuth",
+            path: "Sources/AppAuth",
             sources: ["iOS", "macOS"],
+            resources: [.copy("Resources/PrivacyInfo.xcprivacy")],
             publicHeadersPath: "",
             cSettings: [
                 .headerSearchPath("iOS"),
@@ -61,7 +63,8 @@ let package = Package(
         .target(
             name: "AppAuthTV",
             dependencies: ["AppAuthCore"],
-            path: "Source/AppAuthTV",
+            path: "Sources/AppAuthTV",
+            resources: [.copy("Resources/PrivacyInfo.xcprivacy")],
             publicHeadersPath: ""
         ),
         .testTarget(
diff --git a/README.md b/README.md
index 78f79959f..53085b3c4 100644
--- a/README.md
+++ b/README.md
@@ -516,7 +516,8 @@ OIDTVAuthorizationRequest *request =
                                                     clientId:kClientID
                                                 clientSecret:kClientSecret
                                                       scopes:@[ OIDScopeOpenID, OIDScopeProfile ]
-                                        additionalParameters:nil];
+                                        additionalParameters:nil
+                                           additionalHeaders:nil];
 
 // performs authentication request
 OIDTVAuthorizationInitialization initBlock =
diff --git a/Source/AppAuth.h b/Sources/AppAuth.h
similarity index 100%
rename from Source/AppAuth.h
rename to Sources/AppAuth.h
diff --git a/Sources/AppAuth/Resources/PrivacyInfo.xcprivacy b/Sources/AppAuth/Resources/PrivacyInfo.xcprivacy
new file mode 100644
index 000000000..cc6746dcb
--- /dev/null
+++ b/Sources/AppAuth/Resources/PrivacyInfo.xcprivacy
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>NSPrivacyAccessedAPITypes</key>
+	<array>
+	</array>
+	<key>NSPrivacyCollectedDataTypes</key>
+	<array>
+	</array>
+	<key>NSPrivacyTrackingDomains</key>
+	<array/>
+	<key>NSPrivacyTracking</key>
+	<false/>
+</dict>
+</plist>
diff --git a/Source/AppAuth/iOS/OIDAuthState+IOS.h b/Sources/AppAuth/iOS/OIDAuthState+IOS.h
similarity index 100%
rename from Source/AppAuth/iOS/OIDAuthState+IOS.h
rename to Sources/AppAuth/iOS/OIDAuthState+IOS.h
diff --git a/Source/AppAuth/iOS/OIDAuthState+IOS.m b/Sources/AppAuth/iOS/OIDAuthState+IOS.m
similarity index 100%
rename from Source/AppAuth/iOS/OIDAuthState+IOS.m
rename to Sources/AppAuth/iOS/OIDAuthState+IOS.m
diff --git a/Source/AppAuth/iOS/OIDAuthorizationService+IOS.h b/Sources/AppAuth/iOS/OIDAuthorizationService+IOS.h
similarity index 100%
rename from Source/AppAuth/iOS/OIDAuthorizationService+IOS.h
rename to Sources/AppAuth/iOS/OIDAuthorizationService+IOS.h
diff --git a/Source/AppAuth/iOS/OIDAuthorizationService+IOS.m b/Sources/AppAuth/iOS/OIDAuthorizationService+IOS.m
similarity index 100%
rename from Source/AppAuth/iOS/OIDAuthorizationService+IOS.m
rename to Sources/AppAuth/iOS/OIDAuthorizationService+IOS.m
diff --git a/Source/AppAuth/iOS/OIDExternalUserAgentCatalyst.h b/Sources/AppAuth/iOS/OIDExternalUserAgentCatalyst.h
similarity index 100%
rename from Source/AppAuth/iOS/OIDExternalUserAgentCatalyst.h
rename to Sources/AppAuth/iOS/OIDExternalUserAgentCatalyst.h
diff --git a/Source/AppAuth/iOS/OIDExternalUserAgentCatalyst.m b/Sources/AppAuth/iOS/OIDExternalUserAgentCatalyst.m
similarity index 100%
rename from Source/AppAuth/iOS/OIDExternalUserAgentCatalyst.m
rename to Sources/AppAuth/iOS/OIDExternalUserAgentCatalyst.m
diff --git a/Source/AppAuth/iOS/OIDExternalUserAgentIOS.h b/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.h
similarity index 95%
rename from Source/AppAuth/iOS/OIDExternalUserAgentIOS.h
rename to Sources/AppAuth/iOS/OIDExternalUserAgentIOS.h
index 1939b4b1b..12abc203c 100644
--- a/Source/AppAuth/iOS/OIDExternalUserAgentIOS.h
+++ b/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.h
@@ -34,7 +34,7 @@ NS_ASSUME_NONNULL_BEGIN
 API_UNAVAILABLE(macCatalyst)
 @interface OIDExternalUserAgentIOS : NSObject<OIDExternalUserAgent>
 
-- (instancetype)init API_AVAILABLE(ios(11))
+- (null_unspecified instancetype)init API_AVAILABLE(ios(11))
     __deprecated_msg("This method will not work on iOS 13, use "
                      "initWithPresentingViewController:presentingViewController");
 
@@ -46,7 +46,7 @@ API_UNAVAILABLE(macCatalyst)
         (unless Guided Access is on which does not work) or uses @c SFSafariViewController, and iOS
         12+ uses @c ASWebAuthenticationSession (unless Guided Access is on).
  */
-- (instancetype)initWithPresentingViewController:
+- (nullable instancetype)initWithPresentingViewController:
     (UIViewController *)presentingViewController
     NS_DESIGNATED_INITIALIZER;
 
diff --git a/Source/AppAuth/iOS/OIDExternalUserAgentIOS.m b/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.m
similarity index 99%
rename from Source/AppAuth/iOS/OIDExternalUserAgentIOS.m
rename to Sources/AppAuth/iOS/OIDExternalUserAgentIOS.m
index e6213cb6b..4a8cda0a3 100644
--- a/Source/AppAuth/iOS/OIDExternalUserAgentIOS.m
+++ b/Sources/AppAuth/iOS/OIDExternalUserAgentIOS.m
@@ -55,14 +55,14 @@ @implementation OIDExternalUserAgentIOS {
 #pragma clang diagnostic pop
 }
 
-- (instancetype)init {
+- (null_unspecified instancetype)init {
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wnonnull"
   return [self initWithPresentingViewController:nil];
 #pragma clang diagnostic pop
 }
 
-- (instancetype)initWithPresentingViewController:
+- (nullable instancetype)initWithPresentingViewController:
     (UIViewController *)presentingViewController {
   self = [super init];
   if (self) {
diff --git a/Source/AppAuth/iOS/OIDExternalUserAgentIOSCustomBrowser.h b/Sources/AppAuth/iOS/OIDExternalUserAgentIOSCustomBrowser.h
similarity index 100%
rename from Source/AppAuth/iOS/OIDExternalUserAgentIOSCustomBrowser.h
rename to Sources/AppAuth/iOS/OIDExternalUserAgentIOSCustomBrowser.h
diff --git a/Source/AppAuth/iOS/OIDExternalUserAgentIOSCustomBrowser.m b/Sources/AppAuth/iOS/OIDExternalUserAgentIOSCustomBrowser.m
similarity index 100%
rename from Source/AppAuth/iOS/OIDExternalUserAgentIOSCustomBrowser.m
rename to Sources/AppAuth/iOS/OIDExternalUserAgentIOSCustomBrowser.m
diff --git a/Source/AppAuth/macOS/LoopbackHTTPServer/OIDLoopbackHTTPServer.h b/Sources/AppAuth/macOS/LoopbackHTTPServer/OIDLoopbackHTTPServer.h
similarity index 100%
rename from Source/AppAuth/macOS/LoopbackHTTPServer/OIDLoopbackHTTPServer.h
rename to Sources/AppAuth/macOS/LoopbackHTTPServer/OIDLoopbackHTTPServer.h
diff --git a/Source/AppAuth/macOS/LoopbackHTTPServer/OIDLoopbackHTTPServer.m b/Sources/AppAuth/macOS/LoopbackHTTPServer/OIDLoopbackHTTPServer.m
similarity index 100%
rename from Source/AppAuth/macOS/LoopbackHTTPServer/OIDLoopbackHTTPServer.m
rename to Sources/AppAuth/macOS/LoopbackHTTPServer/OIDLoopbackHTTPServer.m
diff --git a/Source/AppAuth/macOS/OIDAuthState+Mac.h b/Sources/AppAuth/macOS/OIDAuthState+Mac.h
similarity index 100%
rename from Source/AppAuth/macOS/OIDAuthState+Mac.h
rename to Sources/AppAuth/macOS/OIDAuthState+Mac.h
diff --git a/Source/AppAuth/macOS/OIDAuthState+Mac.m b/Sources/AppAuth/macOS/OIDAuthState+Mac.m
similarity index 100%
rename from Source/AppAuth/macOS/OIDAuthState+Mac.m
rename to Sources/AppAuth/macOS/OIDAuthState+Mac.m
diff --git a/Source/AppAuth/macOS/OIDAuthorizationService+Mac.h b/Sources/AppAuth/macOS/OIDAuthorizationService+Mac.h
similarity index 100%
rename from Source/AppAuth/macOS/OIDAuthorizationService+Mac.h
rename to Sources/AppAuth/macOS/OIDAuthorizationService+Mac.h
diff --git a/Source/AppAuth/macOS/OIDAuthorizationService+Mac.m b/Sources/AppAuth/macOS/OIDAuthorizationService+Mac.m
similarity index 100%
rename from Source/AppAuth/macOS/OIDAuthorizationService+Mac.m
rename to Sources/AppAuth/macOS/OIDAuthorizationService+Mac.m
diff --git a/Source/AppAuth/macOS/OIDExternalUserAgentMac.h b/Sources/AppAuth/macOS/OIDExternalUserAgentMac.h
similarity index 100%
rename from Source/AppAuth/macOS/OIDExternalUserAgentMac.h
rename to Sources/AppAuth/macOS/OIDExternalUserAgentMac.h
diff --git a/Source/AppAuth/macOS/OIDExternalUserAgentMac.m b/Sources/AppAuth/macOS/OIDExternalUserAgentMac.m
similarity index 100%
rename from Source/AppAuth/macOS/OIDExternalUserAgentMac.m
rename to Sources/AppAuth/macOS/OIDExternalUserAgentMac.m
diff --git a/Source/AppAuth/macOS/OIDRedirectHTTPHandler.h b/Sources/AppAuth/macOS/OIDRedirectHTTPHandler.h
similarity index 100%
rename from Source/AppAuth/macOS/OIDRedirectHTTPHandler.h
rename to Sources/AppAuth/macOS/OIDRedirectHTTPHandler.h
diff --git a/Source/AppAuth/macOS/OIDRedirectHTTPHandler.m b/Sources/AppAuth/macOS/OIDRedirectHTTPHandler.m
similarity index 100%
rename from Source/AppAuth/macOS/OIDRedirectHTTPHandler.m
rename to Sources/AppAuth/macOS/OIDRedirectHTTPHandler.m
diff --git a/Source/AppAuthCore.h b/Sources/AppAuthCore.h
similarity index 100%
rename from Source/AppAuthCore.h
rename to Sources/AppAuthCore.h
diff --git a/Source/AppAuthCore/OIDAuthState.h b/Sources/AppAuthCore/OIDAuthState.h
similarity index 87%
rename from Source/AppAuthCore/OIDAuthState.h
rename to Sources/AppAuthCore/OIDAuthState.h
index 68697d2ca..46c78a831 100644
--- a/Source/AppAuthCore/OIDAuthState.h
+++ b/Sources/AppAuthCore/OIDAuthState.h
@@ -48,6 +48,12 @@ typedef void (^OIDAuthStateAction)(NSString *_Nullable accessToken,
 typedef void (^OIDAuthStateAuthorizationCallback)(OIDAuthState *_Nullable authState,
                                                   NSError *_Nullable error);
 
+/*! @brief The exception thrown when a developer tries to create a refresh request from an
+        authorization request with no authorization code.
+ */
+static NSString *const kRefreshTokenRequestException =
+    @"Attempted to create a token refresh request from a token response with no refresh token.";
+
 /*! @brief A convenience class that retains the auth state between @c OIDAuthorizationResponse%s
         and @c OIDTokenResponse%s.
  */
@@ -267,6 +273,31 @@ typedef void (^OIDAuthStateAuthorizationCallback)(OIDAuthState *_Nullable authSt
 - (nullable OIDTokenRequest *)tokenRefreshRequestWithAdditionalParameters:
     (nullable NSDictionary<NSString *, NSString *> *)additionalParameters;
 
+/*! @brief Creates a token request suitable for refreshing an access token.
+    @param additionalParameters Additional parameters for the token request.
+    @param additionalHeaders Additional headers for the token request.
+    @return A @c OIDTokenRequest suitable for using a refresh token to obtain a new access token.
+    @discussion After performing the refresh, call @c OIDAuthState.updateWithTokenResponse:error:
+        to update the authorization state based on the response. Rather than doing the token refresh
+        yourself, you should use @c OIDAuthState.performActionWithFreshTokens:.
+    @see https://tools.ietf.org/html/rfc6749#section-1.5
+ */
+- (nullable OIDTokenRequest *)tokenRefreshRequestWithAdditionalParameters:
+    (nullable NSDictionary<NSString *, NSString *> *)additionalParameters
+                                                        additionalHeaders:
+    (nullable NSDictionary<NSString *, NSString *> *)additionalHeaders;
+
+/*! @brief Creates a token request suitable for refreshing an access token.
+    @param additionalHeaders Additional parameters for the token request.
+    @return A @c OIDTokenRequest suitable for using a refresh token to obtain a new access token.
+    @discussion After performing the refresh, call @c OIDAuthState.updateWithTokenResponse:error:
+        to update the authorization state based on the response. Rather than doing the token refresh
+        yourself, you should use @c OIDAuthState.performActionWithFreshTokens:.
+    @see https://tools.ietf.org/html/rfc6749#section-1.5
+ */
+- (nullable OIDTokenRequest *)tokenRefreshRequestWithAdditionalHeaders:
+    (nullable NSDictionary<NSString *, NSString *> *)additionalHeaders;
+
 @end
 
 NS_ASSUME_NONNULL_END
diff --git a/Source/AppAuthCore/OIDAuthState.m b/Sources/AppAuthCore/OIDAuthState.m
similarity index 92%
rename from Source/AppAuthCore/OIDAuthState.m
rename to Sources/AppAuthCore/OIDAuthState.m
index fe8a16221..cb5a22a1e 100644
--- a/Source/AppAuthCore/OIDAuthState.m
+++ b/Sources/AppAuthCore/OIDAuthState.m
@@ -55,12 +55,6 @@
  */
 static NSString *const kAuthorizationErrorKey = @"authorizationError";
 
-/*! @brief The exception thrown when a developer tries to create a refresh request from an
-        authorization request with no authorization code.
- */
-static NSString *const kRefreshTokenRequestException =
-    @"Attempted to create a token refresh request from a token response with no refresh token.";
-
 /*! @brief Number of seconds the access token is refreshed before it actually expires.
  */
 static const NSUInteger kExpiryTimeTolerance = 60;
@@ -427,7 +421,47 @@ - (OIDTokenRequest *)tokenRefreshRequest {
 - (OIDTokenRequest *)tokenRefreshRequestWithAdditionalParameters:
     (NSDictionary<NSString *, NSString *> *)additionalParameters {
 
-  // TODO: Add unit test to confirm exception is thrown when expected
+  if (!_refreshToken) {
+    [OIDErrorUtilities raiseException:kRefreshTokenRequestException];
+  }
+  return [[OIDTokenRequest alloc]
+      initWithConfiguration:_lastAuthorizationResponse.request.configuration
+                  grantType:OIDGrantTypeRefreshToken
+          authorizationCode:nil
+                redirectURL:nil
+                   clientID:_lastAuthorizationResponse.request.clientID
+               clientSecret:_lastAuthorizationResponse.request.clientSecret
+                      scope:nil
+               refreshToken:_refreshToken
+               codeVerifier:nil
+       additionalParameters:additionalParameters
+          additionalHeaders:nil];
+}
+
+- (OIDTokenRequest *)tokenRefreshRequestWithAdditionalParameters:
+    (NSDictionary<NSString *, NSString *> *)additionalParameters
+                                               additionalHeaders:
+    (NSDictionary<NSString *,NSString *> *)additionalHeaders {
+
+  if (!_refreshToken) {
+    [OIDErrorUtilities raiseException:kRefreshTokenRequestException];
+  }
+  return [[OIDTokenRequest alloc]
+      initWithConfiguration:_lastAuthorizationResponse.request.configuration
+                  grantType:OIDGrantTypeRefreshToken
+          authorizationCode:nil
+                redirectURL:nil
+                   clientID:_lastAuthorizationResponse.request.clientID
+               clientSecret:_lastAuthorizationResponse.request.clientSecret
+                      scope:nil
+               refreshToken:_refreshToken
+               codeVerifier:nil
+       additionalParameters:additionalParameters
+          additionalHeaders:additionalHeaders];
+}
+
+- (OIDTokenRequest *)tokenRefreshRequestWithAdditionalHeaders:
+    (NSDictionary<NSString *, NSString *> *)additionalHeaders {
 
   if (!_refreshToken) {
     [OIDErrorUtilities raiseException:kRefreshTokenRequestException];
@@ -442,7 +476,8 @@ - (OIDTokenRequest *)tokenRefreshRequestWithAdditionalParameters:
                       scope:nil
                refreshToken:_refreshToken
                codeVerifier:nil
-       additionalParameters:additionalParameters];
+       additionalParameters:nil
+          additionalHeaders:additionalHeaders];
 }
 
 #pragma mark - Stateful Actions
diff --git a/Source/AppAuthCore/OIDAuthStateChangeDelegate.h b/Sources/AppAuthCore/OIDAuthStateChangeDelegate.h
similarity index 100%
rename from Source/AppAuthCore/OIDAuthStateChangeDelegate.h
rename to Sources/AppAuthCore/OIDAuthStateChangeDelegate.h
diff --git a/Source/AppAuthCore/OIDAuthStateErrorDelegate.h b/Sources/AppAuthCore/OIDAuthStateErrorDelegate.h
similarity index 100%
rename from Source/AppAuthCore/OIDAuthStateErrorDelegate.h
rename to Sources/AppAuthCore/OIDAuthStateErrorDelegate.h
diff --git a/Source/AppAuthCore/OIDAuthorizationRequest.h b/Sources/AppAuthCore/OIDAuthorizationRequest.h
similarity index 89%
rename from Source/AppAuthCore/OIDAuthorizationRequest.h
rename to Sources/AppAuthCore/OIDAuthorizationRequest.h
index 594f01d87..c3a0cc0d8 100644
--- a/Source/AppAuthCore/OIDAuthorizationRequest.h
+++ b/Sources/AppAuthCore/OIDAuthorizationRequest.h
@@ -159,6 +159,29 @@ extern NSString *const OIDOAuthorizationRequestCodeChallengeMethodS256;
              responseType:(NSString *)responseType
      additionalParameters:(nullable NSDictionary<NSString *, NSString *> *)additionalParameters;
 
+/*! @brief Creates an authorization request with custom nonce, a secure @c state,
+        and PKCE with S256 as the @c code_challenge_method.
+    @param configuration The service's configuration.
+    @param clientID The client identifier.
+    @param scopes An array of scopes to combine into a single scope string per the OAuth2 spec.
+    @param redirectURL The client's redirect URI.
+    @param responseType The expected response type.
+    @param nonce String value used to associate a Client session with an ID Token. Can be set to nil
+        if not using OpenID Connect, although pure OAuth servers should ignore params they don't
+        understand anyway.
+    @param additionalParameters The client's additional authorization parameters.
+    @remarks This convenience initializer generates a state parameter and PKCE challenges
+        automatically.
+ */
+- (instancetype)
+    initWithConfiguration:(OIDServiceConfiguration *)configuration
+                 clientId:(NSString *)clientID
+                   scopes:(nullable NSArray<NSString *> *)scopes
+              redirectURL:(NSURL *)redirectURL
+             responseType:(NSString *)responseType
+                    nonce:(nullable NSString *)nonce
+     additionalParameters:(nullable NSDictionary<NSString *, NSString *> *)additionalParameters;
+
 /*! @brief Creates an authorization request with opinionated defaults (a secure @c state, @c nonce,
         and PKCE with S256 as the @c code_challenge_method).
     @param configuration The service's configuration.
diff --git a/Source/AppAuthCore/OIDAuthorizationRequest.m b/Sources/AppAuthCore/OIDAuthorizationRequest.m
similarity index 91%
rename from Source/AppAuthCore/OIDAuthorizationRequest.m
rename to Sources/AppAuthCore/OIDAuthorizationRequest.m
index ccfacda0f..1be1fdfde 100644
--- a/Source/AppAuthCore/OIDAuthorizationRequest.m
+++ b/Sources/AppAuthCore/OIDAuthorizationRequest.m
@@ -202,6 +202,32 @@ - (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
                 additionalParameters:additionalParameters];
 }
 
+- (instancetype)
+    initWithConfiguration:(OIDServiceConfiguration *)configuration
+                 clientId:(NSString *)clientID
+                   scopes:(nullable NSArray<NSString *> *)scopes
+              redirectURL:(NSURL *)redirectURL
+             responseType:(NSString *)responseType
+                    nonce:(nullable NSString *)nonce
+    additionalParameters:(nullable NSDictionary<NSString *, NSString *> *)additionalParameters {
+  // generates PKCE code verifier and challenge
+  NSString *codeVerifier = [[self class] generateCodeVerifier];
+  NSString *codeChallenge = [[self class] codeChallengeS256ForVerifier:codeVerifier];
+
+  return [self initWithConfiguration:configuration
+                            clientId:clientID
+                        clientSecret:nil
+                               scope:[OIDScopeUtilities scopesWithArray:scopes]
+                         redirectURL:redirectURL
+                        responseType:responseType
+                               state:[[self class] generateState]
+                               nonce:nonce
+                        codeVerifier:codeVerifier
+                       codeChallenge:codeChallenge
+                 codeChallengeMethod:OIDOAuthorizationRequestCodeChallengeMethodS256
+                additionalParameters:additionalParameters];
+}
+
 #pragma mark - NSCopying
 
 - (instancetype)copyWithZone:(nullable NSZone *)zone {
diff --git a/Source/AppAuthCore/OIDAuthorizationResponse.h b/Sources/AppAuthCore/OIDAuthorizationResponse.h
similarity index 87%
rename from Source/AppAuthCore/OIDAuthorizationResponse.h
rename to Sources/AppAuthCore/OIDAuthorizationResponse.h
index e7552fe59..a9af1864b 100644
--- a/Source/AppAuthCore/OIDAuthorizationResponse.h
+++ b/Sources/AppAuthCore/OIDAuthorizationResponse.h
@@ -123,6 +123,19 @@ NS_ASSUME_NONNULL_BEGIN
 - (nullable OIDTokenRequest *)tokenExchangeRequestWithAdditionalParameters:
     (nullable NSDictionary<NSString *, NSString *> *)additionalParameters;
 
+/*! @brief Creates a token request suitable for exchanging an authorization code for an access
+        token.
+    @param additionalParameters Additional parameters for the token request.
+    @param additionalHeaders Additional headers for the token request.
+    @return A @c OIDTokenRequest suitable for exchanging an authorization code for an access
+        token.
+    @see https://tools.ietf.org/html/rfc6749#section-4.1.3
+ */
+- (nullable OIDTokenRequest *)tokenExchangeRequestWithAdditionalParameters:
+    (nullable NSDictionary<NSString *, NSString *> *)additionalParameters
+                                                         additionalHeaders:
+    (nullable NSDictionary<NSString *, NSString *> *)additionalHeaders;
+
 @end
 
 NS_ASSUME_NONNULL_END
diff --git a/Source/AppAuthCore/OIDAuthorizationResponse.m b/Sources/AppAuthCore/OIDAuthorizationResponse.m
similarity index 93%
rename from Source/AppAuthCore/OIDAuthorizationResponse.m
rename to Sources/AppAuthCore/OIDAuthorizationResponse.m
index a8f92c75e..957f81d3a 100644
--- a/Source/AppAuthCore/OIDAuthorizationResponse.m
+++ b/Sources/AppAuthCore/OIDAuthorizationResponse.m
@@ -184,11 +184,19 @@ - (NSString *)description {
 #pragma mark -
 
 - (OIDTokenRequest *)tokenExchangeRequest {
-  return [self tokenExchangeRequestWithAdditionalParameters:nil];
+  return [self tokenExchangeRequestWithAdditionalParameters:nil additionalHeaders:nil];
 }
 
 - (OIDTokenRequest *)tokenExchangeRequestWithAdditionalParameters:
     (NSDictionary<NSString *, NSString *> *)additionalParameters {
+  return [self tokenExchangeRequestWithAdditionalParameters:additionalParameters
+                                          additionalHeaders:nil];
+}
+
+- (OIDTokenRequest *)tokenExchangeRequestWithAdditionalParameters:
+    (NSDictionary<NSString *, NSString *> *)additionalParameters
+                                                additionalHeaders:
+    (NSDictionary<NSString *, NSString *> *)additionalHeaders {
   // TODO: add a unit test to confirm exception is thrown when expected and the request is created
   //       with the correct parameters.
   if (!_authorizationCode) {
@@ -204,7 +212,8 @@ - (OIDTokenRequest *)tokenExchangeRequestWithAdditionalParameters:
                                                   scope:nil
                                            refreshToken:nil
                                            codeVerifier:_request.codeVerifier
-                                   additionalParameters:additionalParameters];
+                                   additionalParameters:additionalParameters
+                                      additionalHeaders:additionalHeaders];
 }
 
 @end
diff --git a/Source/AppAuthCore/OIDAuthorizationService.h b/Sources/AppAuthCore/OIDAuthorizationService.h
similarity index 100%
rename from Source/AppAuthCore/OIDAuthorizationService.h
rename to Sources/AppAuthCore/OIDAuthorizationService.h
diff --git a/Source/AppAuthCore/OIDAuthorizationService.m b/Sources/AppAuthCore/OIDAuthorizationService.m
similarity index 100%
rename from Source/AppAuthCore/OIDAuthorizationService.m
rename to Sources/AppAuthCore/OIDAuthorizationService.m
diff --git a/Source/AppAuthCore/OIDClientMetadataParameters.h b/Sources/AppAuthCore/OIDClientMetadataParameters.h
similarity index 100%
rename from Source/AppAuthCore/OIDClientMetadataParameters.h
rename to Sources/AppAuthCore/OIDClientMetadataParameters.h
diff --git a/Source/AppAuthCore/OIDClientMetadataParameters.m b/Sources/AppAuthCore/OIDClientMetadataParameters.m
similarity index 100%
rename from Source/AppAuthCore/OIDClientMetadataParameters.m
rename to Sources/AppAuthCore/OIDClientMetadataParameters.m
diff --git a/Source/AppAuthCore/OIDDefines.h b/Sources/AppAuthCore/OIDDefines.h
similarity index 100%
rename from Source/AppAuthCore/OIDDefines.h
rename to Sources/AppAuthCore/OIDDefines.h
diff --git a/Source/AppAuthCore/OIDEndSessionRequest.h b/Sources/AppAuthCore/OIDEndSessionRequest.h
similarity index 100%
rename from Source/AppAuthCore/OIDEndSessionRequest.h
rename to Sources/AppAuthCore/OIDEndSessionRequest.h
diff --git a/Source/AppAuthCore/OIDEndSessionRequest.m b/Sources/AppAuthCore/OIDEndSessionRequest.m
similarity index 100%
rename from Source/AppAuthCore/OIDEndSessionRequest.m
rename to Sources/AppAuthCore/OIDEndSessionRequest.m
diff --git a/Source/AppAuthCore/OIDEndSessionResponse.h b/Sources/AppAuthCore/OIDEndSessionResponse.h
similarity index 100%
rename from Source/AppAuthCore/OIDEndSessionResponse.h
rename to Sources/AppAuthCore/OIDEndSessionResponse.h
diff --git a/Source/AppAuthCore/OIDEndSessionResponse.m b/Sources/AppAuthCore/OIDEndSessionResponse.m
similarity index 100%
rename from Source/AppAuthCore/OIDEndSessionResponse.m
rename to Sources/AppAuthCore/OIDEndSessionResponse.m
diff --git a/Source/AppAuthCore/OIDError.h b/Sources/AppAuthCore/OIDError.h
similarity index 100%
rename from Source/AppAuthCore/OIDError.h
rename to Sources/AppAuthCore/OIDError.h
diff --git a/Source/AppAuthCore/OIDError.m b/Sources/AppAuthCore/OIDError.m
similarity index 100%
rename from Source/AppAuthCore/OIDError.m
rename to Sources/AppAuthCore/OIDError.m
diff --git a/Source/AppAuthCore/OIDErrorUtilities.h b/Sources/AppAuthCore/OIDErrorUtilities.h
similarity index 100%
rename from Source/AppAuthCore/OIDErrorUtilities.h
rename to Sources/AppAuthCore/OIDErrorUtilities.h
diff --git a/Source/AppAuthCore/OIDErrorUtilities.m b/Sources/AppAuthCore/OIDErrorUtilities.m
similarity index 100%
rename from Source/AppAuthCore/OIDErrorUtilities.m
rename to Sources/AppAuthCore/OIDErrorUtilities.m
diff --git a/Source/AppAuthCore/OIDExternalUserAgent.h b/Sources/AppAuthCore/OIDExternalUserAgent.h
similarity index 100%
rename from Source/AppAuthCore/OIDExternalUserAgent.h
rename to Sources/AppAuthCore/OIDExternalUserAgent.h
diff --git a/Source/AppAuthCore/OIDExternalUserAgentRequest.h b/Sources/AppAuthCore/OIDExternalUserAgentRequest.h
similarity index 100%
rename from Source/AppAuthCore/OIDExternalUserAgentRequest.h
rename to Sources/AppAuthCore/OIDExternalUserAgentRequest.h
diff --git a/Source/AppAuthCore/OIDExternalUserAgentSession.h b/Sources/AppAuthCore/OIDExternalUserAgentSession.h
similarity index 100%
rename from Source/AppAuthCore/OIDExternalUserAgentSession.h
rename to Sources/AppAuthCore/OIDExternalUserAgentSession.h
diff --git a/Source/AppAuthCore/OIDFieldMapping.h b/Sources/AppAuthCore/OIDFieldMapping.h
similarity index 100%
rename from Source/AppAuthCore/OIDFieldMapping.h
rename to Sources/AppAuthCore/OIDFieldMapping.h
diff --git a/Source/AppAuthCore/OIDFieldMapping.m b/Sources/AppAuthCore/OIDFieldMapping.m
similarity index 100%
rename from Source/AppAuthCore/OIDFieldMapping.m
rename to Sources/AppAuthCore/OIDFieldMapping.m
diff --git a/Source/AppAuthCore/OIDGrantTypes.h b/Sources/AppAuthCore/OIDGrantTypes.h
similarity index 100%
rename from Source/AppAuthCore/OIDGrantTypes.h
rename to Sources/AppAuthCore/OIDGrantTypes.h
diff --git a/Source/AppAuthCore/OIDGrantTypes.m b/Sources/AppAuthCore/OIDGrantTypes.m
similarity index 100%
rename from Source/AppAuthCore/OIDGrantTypes.m
rename to Sources/AppAuthCore/OIDGrantTypes.m
diff --git a/Source/AppAuthCore/OIDIDToken.h b/Sources/AppAuthCore/OIDIDToken.h
similarity index 100%
rename from Source/AppAuthCore/OIDIDToken.h
rename to Sources/AppAuthCore/OIDIDToken.h
diff --git a/Source/AppAuthCore/OIDIDToken.m b/Sources/AppAuthCore/OIDIDToken.m
similarity index 100%
rename from Source/AppAuthCore/OIDIDToken.m
rename to Sources/AppAuthCore/OIDIDToken.m
diff --git a/Source/AppAuthCore/OIDRegistrationRequest.h b/Sources/AppAuthCore/OIDRegistrationRequest.h
similarity index 100%
rename from Source/AppAuthCore/OIDRegistrationRequest.h
rename to Sources/AppAuthCore/OIDRegistrationRequest.h
diff --git a/Source/AppAuthCore/OIDRegistrationRequest.m b/Sources/AppAuthCore/OIDRegistrationRequest.m
similarity index 100%
rename from Source/AppAuthCore/OIDRegistrationRequest.m
rename to Sources/AppAuthCore/OIDRegistrationRequest.m
diff --git a/Source/AppAuthCore/OIDRegistrationResponse.h b/Sources/AppAuthCore/OIDRegistrationResponse.h
similarity index 100%
rename from Source/AppAuthCore/OIDRegistrationResponse.h
rename to Sources/AppAuthCore/OIDRegistrationResponse.h
diff --git a/Source/AppAuthCore/OIDRegistrationResponse.m b/Sources/AppAuthCore/OIDRegistrationResponse.m
similarity index 100%
rename from Source/AppAuthCore/OIDRegistrationResponse.m
rename to Sources/AppAuthCore/OIDRegistrationResponse.m
diff --git a/Source/AppAuthCore/OIDResponseTypes.h b/Sources/AppAuthCore/OIDResponseTypes.h
similarity index 100%
rename from Source/AppAuthCore/OIDResponseTypes.h
rename to Sources/AppAuthCore/OIDResponseTypes.h
diff --git a/Source/AppAuthCore/OIDResponseTypes.m b/Sources/AppAuthCore/OIDResponseTypes.m
similarity index 100%
rename from Source/AppAuthCore/OIDResponseTypes.m
rename to Sources/AppAuthCore/OIDResponseTypes.m
diff --git a/Source/AppAuthCore/OIDScopeUtilities.h b/Sources/AppAuthCore/OIDScopeUtilities.h
similarity index 100%
rename from Source/AppAuthCore/OIDScopeUtilities.h
rename to Sources/AppAuthCore/OIDScopeUtilities.h
diff --git a/Source/AppAuthCore/OIDScopeUtilities.m b/Sources/AppAuthCore/OIDScopeUtilities.m
similarity index 100%
rename from Source/AppAuthCore/OIDScopeUtilities.m
rename to Sources/AppAuthCore/OIDScopeUtilities.m
diff --git a/Source/AppAuthCore/OIDScopes.h b/Sources/AppAuthCore/OIDScopes.h
similarity index 100%
rename from Source/AppAuthCore/OIDScopes.h
rename to Sources/AppAuthCore/OIDScopes.h
diff --git a/Source/AppAuthCore/OIDScopes.m b/Sources/AppAuthCore/OIDScopes.m
similarity index 100%
rename from Source/AppAuthCore/OIDScopes.m
rename to Sources/AppAuthCore/OIDScopes.m
diff --git a/Source/AppAuthCore/OIDServiceConfiguration.h b/Sources/AppAuthCore/OIDServiceConfiguration.h
similarity index 100%
rename from Source/AppAuthCore/OIDServiceConfiguration.h
rename to Sources/AppAuthCore/OIDServiceConfiguration.h
diff --git a/Source/AppAuthCore/OIDServiceConfiguration.m b/Sources/AppAuthCore/OIDServiceConfiguration.m
similarity index 100%
rename from Source/AppAuthCore/OIDServiceConfiguration.m
rename to Sources/AppAuthCore/OIDServiceConfiguration.m
diff --git a/Source/AppAuthCore/OIDServiceDiscovery.h b/Sources/AppAuthCore/OIDServiceDiscovery.h
similarity index 100%
rename from Source/AppAuthCore/OIDServiceDiscovery.h
rename to Sources/AppAuthCore/OIDServiceDiscovery.h
diff --git a/Source/AppAuthCore/OIDServiceDiscovery.m b/Sources/AppAuthCore/OIDServiceDiscovery.m
similarity index 100%
rename from Source/AppAuthCore/OIDServiceDiscovery.m
rename to Sources/AppAuthCore/OIDServiceDiscovery.m
diff --git a/Source/AppAuthCore/OIDTokenRequest.h b/Sources/AppAuthCore/OIDTokenRequest.h
similarity index 67%
rename from Source/AppAuthCore/OIDTokenRequest.h
rename to Sources/AppAuthCore/OIDTokenRequest.h
index 399294e8c..53a007378 100644
--- a/Source/AppAuthCore/OIDTokenRequest.h
+++ b/Sources/AppAuthCore/OIDTokenRequest.h
@@ -95,9 +95,13 @@ NS_ASSUME_NONNULL_BEGIN
  */
 @property(nonatomic, readonly, nullable) NSDictionary<NSString *, NSString *> *additionalParameters;
 
+/*! @brief The client's additional token request headers.
+ */
+@property(nonatomic, readonly, nullable) NSDictionary<NSString *, NSString *> *additionalHeaders;
+
 /*! @internal
     @brief Unavailable. Please use
-        initWithConfiguration:grantType:code:redirectURL:clientID:additionalParameters:.
+        initWithConfiguration:grantType:code:redirectURL:clientID:additionalParameters:additionalHeaders:.
  */
 - (instancetype)init NS_UNAVAILABLE;
 
@@ -125,6 +129,57 @@ NS_ASSUME_NONNULL_BEGIN
             codeVerifier:(nullable NSString *)codeVerifier
     additionalParameters:(nullable NSDictionary<NSString *, NSString *> *)additionalParameters;
 
+/*! @param configuration The service's configuration.
+    @param grantType the type of token being sent to the token endpoint, i.e. "authorization_code"
+        for the authorization code exchange, or "refresh_token" for an access token refresh request.
+        @see OIDGrantTypes.h
+    @param code The authorization code received from the authorization server.
+    @param redirectURL The client's redirect URI.
+    @param clientID The client identifier.
+    @param clientSecret The client secret.
+    @param scope The value of the scope parameter is expressed as a list of space-delimited,
+        case-sensitive strings.
+    @param refreshToken The refresh token.
+    @param codeVerifier The PKCE code verifier.
+    @param additionalParameters The client's additional token request parameters.
+ */
+- (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
+               grantType:(NSString *)grantType
+       authorizationCode:(nullable NSString *)code
+             redirectURL:(nullable NSURL *)redirectURL
+                clientID:(NSString *)clientID
+            clientSecret:(nullable NSString *)clientSecret
+                   scope:(nullable NSString *)scope
+            refreshToken:(nullable NSString *)refreshToken
+            codeVerifier:(nullable NSString *)codeVerifier
+    additionalParameters:(nullable NSDictionary<NSString *, NSString *> *)additionalParameters;
+
+/*! @param configuration The service's configuration.
+    @param grantType the type of token being sent to the token endpoint, i.e. "authorization_code"
+        for the authorization code exchange, or "refresh_token" for an access token refresh request.
+        @see OIDGrantTypes.h
+    @param code The authorization code received from the authorization server.
+    @param redirectURL The client's redirect URI.
+    @param clientID The client identifier.
+    @param clientSecret The client secret.
+    @param scopes An array of scopes to combine into a single scope string per the OAuth2 spec.
+    @param refreshToken The refresh token.
+    @param codeVerifier The PKCE code verifier.
+    @param additionalParameters The client's additional token request parameters.
+    @param additionalHeaders The client's additional token request headers.
+ */
+- (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
+               grantType:(NSString *)grantType
+       authorizationCode:(nullable NSString *)code
+             redirectURL:(nullable NSURL *)redirectURL
+                clientID:(NSString *)clientID
+            clientSecret:(nullable NSString *)clientSecret
+                  scopes:(nullable NSArray<NSString *> *)scopes
+            refreshToken:(nullable NSString *)refreshToken
+            codeVerifier:(nullable NSString *)codeVerifier
+    additionalParameters:(nullable NSDictionary<NSString *, NSString *> *)additionalParameters
+       additionalHeaders:(nullable NSDictionary<NSString *, NSString *> *)additionalHeaders;
+
 /*! @brief Designated initializer.
     @param configuration The service's configuration.
     @param grantType the type of token being sent to the token endpoint, i.e. "authorization_code"
@@ -139,6 +194,7 @@ NS_ASSUME_NONNULL_BEGIN
     @param refreshToken The refresh token.
     @param codeVerifier The PKCE code verifier.
     @param additionalParameters The client's additional token request parameters.
+    @param additionalHeaders The client's additional token request headers.
  */
 - (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
                grantType:(NSString *)grantType
@@ -150,6 +206,7 @@ NS_ASSUME_NONNULL_BEGIN
             refreshToken:(nullable NSString *)refreshToken
             codeVerifier:(nullable NSString *)codeVerifier
     additionalParameters:(nullable NSDictionary<NSString *, NSString *> *)additionalParameters
+       additionalHeaders:(nullable NSDictionary<NSString *, NSString *> *)additionalHeaders
     NS_DESIGNATED_INITIALIZER;
 
 /*! @brief Designated initializer for NSSecureCoding.
diff --git a/Source/AppAuthCore/OIDTokenRequest.m b/Sources/AppAuthCore/OIDTokenRequest.m
similarity index 76%
rename from Source/AppAuthCore/OIDTokenRequest.m
rename to Sources/AppAuthCore/OIDTokenRequest.m
index 5ed8a17ef..6d30b6d6b 100644
--- a/Source/AppAuthCore/OIDTokenRequest.m
+++ b/Sources/AppAuthCore/OIDTokenRequest.m
@@ -67,6 +67,11 @@
  */
 static NSString *const kAdditionalParametersKey = @"additionalParameters";
 
+/*! @brief Key used to encode the @c additionalHeaders property for
+        @c NSSecureCoding
+ */
+static NSString *const kAdditionalHeadersKey = @"additionalHeaders";
+
 @implementation OIDTokenRequest
 
 - (instancetype)init
@@ -80,9 +85,56 @@ - (instancetype)init
                                   scope:
                            refreshToken:
                            codeVerifier:
-                   additionalParameters:)
+                   additionalParameters:
+                      additionalHeaders:)
     )
 
+- (instancetype)initWithConfiguration:(nonnull OIDServiceConfiguration *)configuration
+               grantType:(nonnull NSString *)grantType
+       authorizationCode:(nullable NSString *)code
+             redirectURL:(nullable NSURL *)redirectURL
+                clientID:(nonnull NSString *)clientID
+            clientSecret:(nullable NSString *)clientSecret
+                  scopes:(nullable NSArray<NSString *> *)scopes
+            refreshToken:(nullable NSString *)refreshToken
+            codeVerifier:(nullable NSString *)codeVerifier
+    additionalParameters:(nullable NSDictionary<NSString *,NSString *> *)additionalParameters {
+  return [self initWithConfiguration:configuration
+                           grantType:grantType
+                   authorizationCode:code
+                         redirectURL:redirectURL
+                            clientID:clientID
+                        clientSecret:clientSecret
+                              scopes:scopes
+                        refreshToken:refreshToken
+                        codeVerifier:codeVerifier
+                additionalParameters:additionalParameters
+                   additionalHeaders:_additionalHeaders];
+}
+
+- (instancetype)initWithConfiguration:(nonnull OIDServiceConfiguration *)configuration
+               grantType:(nonnull NSString *)grantType
+       authorizationCode:(nullable NSString *)code
+             redirectURL:(nullable NSURL *)redirectURL
+                clientID:(nonnull NSString *)clientID
+            clientSecret:(nullable NSString *)clientSecret
+                   scope:(nullable NSString *)scope
+            refreshToken:(nullable NSString *)refreshToken
+            codeVerifier:(nullable NSString *)codeVerifier
+    additionalParameters:(nullable NSDictionary<NSString *,NSString *> *)additionalParameters {
+  return [self initWithConfiguration:configuration
+                           grantType:grantType
+                   authorizationCode:code
+                         redirectURL:redirectURL
+                            clientID:clientID
+                        clientSecret:clientSecret
+                               scope:scope
+                        refreshToken:refreshToken
+                        codeVerifier:codeVerifier
+                additionalParameters:additionalParameters
+                   additionalHeaders:_additionalHeaders];
+}
+
 - (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
                grantType:(NSString *)grantType
        authorizationCode:(nullable NSString *)code
@@ -92,7 +144,8 @@ - (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
                   scopes:(nullable NSArray<NSString *> *)scopes
             refreshToken:(nullable NSString *)refreshToken
             codeVerifier:(nullable NSString *)codeVerifier
-    additionalParameters:(nullable NSDictionary<NSString *, NSString *> *)additionalParameters {
+    additionalParameters:(nullable NSDictionary<NSString *, NSString *> *)additionalParameters
+       additionalHeaders:(nullable NSDictionary<NSString *, NSString *> *)additionalHeaders {
   return [self initWithConfiguration:configuration
                            grantType:grantType
                    authorizationCode:code
@@ -102,7 +155,8 @@ - (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
                                scope:[OIDScopeUtilities scopesWithArray:scopes]
                         refreshToken:refreshToken
                         codeVerifier:(NSString *)codeVerifier
-                additionalParameters:additionalParameters];
+                additionalParameters:additionalParameters
+                   additionalHeaders:additionalHeaders];
 }
 
 - (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
@@ -114,7 +168,8 @@ - (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
                    scope:(nullable NSString *)scope
             refreshToken:(nullable NSString *)refreshToken
             codeVerifier:(nullable NSString *)codeVerifier
-    additionalParameters:(nullable NSDictionary<NSString *, NSString *> *)additionalParameters {
+    additionalParameters:(nullable NSDictionary<NSString *, NSString *> *)additionalParameters
+       additionalHeaders:(nullable NSDictionary<NSString *, NSString *> *)additionalHeaders {
   self = [super init];
   if (self) {
     _configuration = [configuration copy];
@@ -128,6 +183,8 @@ - (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
     _codeVerifier = [codeVerifier copy];
     _additionalParameters =
         [[NSDictionary alloc] initWithDictionary:additionalParameters copyItems:YES];
+    _additionalHeaders =
+        [[NSDictionary alloc] initWithDictionary:additionalHeaders copyItems:YES];
     
     // Additional validation for the authorization_code grant type
     if ([_grantType isEqual:OIDGrantTypeAuthorizationCode]) {
@@ -174,9 +231,18 @@ - (instancetype)initWithCoder:(NSCoder *)aDecoder {
     [NSDictionary class],
     [NSString class]
   ]];
+    
   NSDictionary *additionalParameters =
-      [aDecoder decodeObjectOfClasses:additionalParameterCodingClasses
-                               forKey:kAdditionalParametersKey];
+      [aDecoder decodeObjectOfClasses:additionalParameterCodingClasses forKey:kAdditionalParametersKey];
+    
+    
+  NSSet *additionalHeaderCodingClasses = [NSSet setWithArray:@[
+    [NSDictionary class],
+    [NSString class]
+  ]];
+    
+  NSDictionary *additionalHeaders =
+      [aDecoder decodeObjectOfClasses:additionalHeaderCodingClasses forKey:kAdditionalHeadersKey];
   
   self = [super init];
   if (self) {
@@ -191,6 +257,8 @@ - (instancetype)initWithCoder:(NSCoder *)aDecoder {
     _codeVerifier = [codeVerifier copy];
     _additionalParameters =
         [[NSDictionary alloc] initWithDictionary:additionalParameters copyItems:YES];
+    _additionalHeaders =
+        [[NSDictionary alloc] initWithDictionary:additionalHeaders copyItems:YES];
   }
   return self;
 }
@@ -206,6 +274,7 @@ - (void)encodeWithCoder:(NSCoder *)aCoder {
   [aCoder encodeObject:_refreshToken forKey:kRefreshTokenKey];
   [aCoder encodeObject:_codeVerifier forKey:kCodeVerifierKey];
   [aCoder encodeObject:_additionalParameters forKey:kAdditionalParametersKey];
+  [aCoder encodeObject:_additionalHeaders forKey:kAdditionalHeadersKey];
 }
 
 #pragma mark - NSObject overrides
@@ -305,6 +374,10 @@ - (NSURLRequest *)URLRequest {
   for (id header in httpHeaders) {
     [URLRequest setValue:httpHeaders[header] forHTTPHeaderField:header];
   }
+  
+  for (id header in _additionalHeaders) {
+    [URLRequest setValue:_additionalHeaders[header] forHTTPHeaderField:header];
+  }
 
   return URLRequest;
 }
diff --git a/Source/AppAuthCore/OIDTokenResponse.h b/Sources/AppAuthCore/OIDTokenResponse.h
similarity index 100%
rename from Source/AppAuthCore/OIDTokenResponse.h
rename to Sources/AppAuthCore/OIDTokenResponse.h
diff --git a/Source/AppAuthCore/OIDTokenResponse.m b/Sources/AppAuthCore/OIDTokenResponse.m
similarity index 100%
rename from Source/AppAuthCore/OIDTokenResponse.m
rename to Sources/AppAuthCore/OIDTokenResponse.m
diff --git a/Source/AppAuthCore/OIDTokenUtilities.h b/Sources/AppAuthCore/OIDTokenUtilities.h
similarity index 100%
rename from Source/AppAuthCore/OIDTokenUtilities.h
rename to Sources/AppAuthCore/OIDTokenUtilities.h
diff --git a/Source/AppAuthCore/OIDTokenUtilities.m b/Sources/AppAuthCore/OIDTokenUtilities.m
similarity index 100%
rename from Source/AppAuthCore/OIDTokenUtilities.m
rename to Sources/AppAuthCore/OIDTokenUtilities.m
diff --git a/Source/AppAuthCore/OIDURLQueryComponent.h b/Sources/AppAuthCore/OIDURLQueryComponent.h
similarity index 100%
rename from Source/AppAuthCore/OIDURLQueryComponent.h
rename to Sources/AppAuthCore/OIDURLQueryComponent.h
diff --git a/Source/AppAuthCore/OIDURLQueryComponent.m b/Sources/AppAuthCore/OIDURLQueryComponent.m
similarity index 100%
rename from Source/AppAuthCore/OIDURLQueryComponent.m
rename to Sources/AppAuthCore/OIDURLQueryComponent.m
diff --git a/Source/AppAuthCore/OIDURLSessionProvider.h b/Sources/AppAuthCore/OIDURLSessionProvider.h
similarity index 100%
rename from Source/AppAuthCore/OIDURLSessionProvider.h
rename to Sources/AppAuthCore/OIDURLSessionProvider.h
diff --git a/Source/AppAuthCore/OIDURLSessionProvider.m b/Sources/AppAuthCore/OIDURLSessionProvider.m
similarity index 100%
rename from Source/AppAuthCore/OIDURLSessionProvider.m
rename to Sources/AppAuthCore/OIDURLSessionProvider.m
diff --git a/Sources/AppAuthCore/Resources/PrivacyInfo.xcprivacy b/Sources/AppAuthCore/Resources/PrivacyInfo.xcprivacy
new file mode 100644
index 000000000..cc6746dcb
--- /dev/null
+++ b/Sources/AppAuthCore/Resources/PrivacyInfo.xcprivacy
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>NSPrivacyAccessedAPITypes</key>
+	<array>
+	</array>
+	<key>NSPrivacyCollectedDataTypes</key>
+	<array>
+	</array>
+	<key>NSPrivacyTrackingDomains</key>
+	<array/>
+	<key>NSPrivacyTracking</key>
+	<false/>
+</dict>
+</plist>
diff --git a/Source/AppAuthTV.h b/Sources/AppAuthTV.h
similarity index 100%
rename from Source/AppAuthTV.h
rename to Sources/AppAuthTV.h
diff --git a/Source/AppAuthTV/OIDTVAuthorizationRequest.h b/Sources/AppAuthTV/OIDTVAuthorizationRequest.h
similarity index 100%
rename from Source/AppAuthTV/OIDTVAuthorizationRequest.h
rename to Sources/AppAuthTV/OIDTVAuthorizationRequest.h
diff --git a/Source/AppAuthTV/OIDTVAuthorizationRequest.m b/Sources/AppAuthTV/OIDTVAuthorizationRequest.m
similarity index 100%
rename from Source/AppAuthTV/OIDTVAuthorizationRequest.m
rename to Sources/AppAuthTV/OIDTVAuthorizationRequest.m
diff --git a/Source/AppAuthTV/OIDTVAuthorizationResponse.h b/Sources/AppAuthTV/OIDTVAuthorizationResponse.h
similarity index 76%
rename from Source/AppAuthTV/OIDTVAuthorizationResponse.h
rename to Sources/AppAuthTV/OIDTVAuthorizationResponse.h
index d3bed1e97..c57847c6e 100644
--- a/Source/AppAuthTV/OIDTVAuthorizationResponse.h
+++ b/Sources/AppAuthTV/OIDTVAuthorizationResponse.h
@@ -87,6 +87,25 @@ NS_ASSUME_NONNULL_BEGIN
 - (nullable OIDTVTokenRequest *)tokenPollRequestWithAdditionalParameters:
     (nullable NSDictionary<NSString *, NSString *> *)additionalParameters;
 
+/*! @brief Creates a token request suitable for polling the token endpoint with the @c deviceCode.
+    @param additionalHeaders Additional headers for the token request.
+    @return A @c OIDTVTokenRequest suitable for polling the token endpoint.
+    @see https://tools.ietf.org/html/rfc8628#section-3.4
+ */
+- (nullable OIDTVTokenRequest *)tokenPollRequestWithAdditionalHeaders:
+    (nullable NSDictionary<NSString *, NSString *> *)additionalHeaders;
+
+/*! @brief Creates a token request suitable for polling the token endpoint with the @c deviceCode.
+    @param additionalParameters Additional parameters for the token request.
+    @param additionalHeaders Additional headers for the token request.
+    @return A @c OIDTVTokenRequest suitable for polling the token endpoint.
+    @see https://tools.ietf.org/html/rfc8628#section-3.4
+ */
+- (nullable OIDTVTokenRequest *)tokenPollRequestWithAdditionalParameters:
+    (nullable NSDictionary<NSString *, NSString *> *)additionalParameters
+                                                       additionalHeaders:
+    (nullable NSDictionary<NSString *, NSString *> *)additionalHeaders;
+
 @end
 
 NS_ASSUME_NONNULL_END
diff --git a/Source/AppAuthTV/OIDTVAuthorizationResponse.m b/Sources/AppAuthTV/OIDTVAuthorizationResponse.m
similarity index 84%
rename from Source/AppAuthTV/OIDTVAuthorizationResponse.m
rename to Sources/AppAuthTV/OIDTVAuthorizationResponse.m
index 71b9e8f04..b45fc85f3 100644
--- a/Source/AppAuthTV/OIDTVAuthorizationResponse.m
+++ b/Sources/AppAuthTV/OIDTVAuthorizationResponse.m
@@ -149,7 +149,7 @@ - (NSString *)description {
 #pragma mark -
 
 - (OIDTVTokenRequest *)tokenPollRequest {
-  return [self tokenPollRequestWithAdditionalParameters:nil];
+  return [self tokenPollRequestWithAdditionalParameters:nil additionalHeaders:nil];
 }
 
 - (OIDTVTokenRequest *)tokenPollRequestWithAdditionalParameters:
@@ -159,7 +159,32 @@ - (OIDTVTokenRequest *)tokenPollRequestWithAdditionalParameters:
                  deviceCode:_deviceCode
                    clientID:self.request.clientID
                clientSecret:self.request.clientSecret
-       additionalParameters:additionalParameters];
+       additionalParameters:additionalParameters
+          additionalHeaders:nil];
+}
+
+- (OIDTVTokenRequest *)tokenPollRequestWithAdditionalHeaders:
+    (NSDictionary<NSString *, NSString *> *)additionalHeaders {
+  return [[OIDTVTokenRequest alloc]
+      initWithConfiguration:(OIDTVServiceConfiguration *)self.request.configuration
+                 deviceCode:_deviceCode
+                   clientID:self.request.clientID
+               clientSecret:self.request.clientSecret
+       additionalParameters:nil
+          additionalHeaders:additionalHeaders];
+}
+
+- (OIDTVTokenRequest *)tokenPollRequestWithAdditionalParameters:
+    (NSDictionary<NSString *, NSString *> *)additionalParameters
+                                              additionalHeaders:
+    (NSDictionary<NSString *, NSString *> *)additionalHeaders {
+  return [[OIDTVTokenRequest alloc]
+      initWithConfiguration:(OIDTVServiceConfiguration *)self.request.configuration
+                 deviceCode:_deviceCode
+                   clientID:self.request.clientID
+               clientSecret:self.request.clientSecret
+       additionalParameters:additionalParameters
+          additionalHeaders:additionalHeaders];
 }
 
 @end
diff --git a/Source/AppAuthTV/OIDTVAuthorizationService.h b/Sources/AppAuthTV/OIDTVAuthorizationService.h
similarity index 100%
rename from Source/AppAuthTV/OIDTVAuthorizationService.h
rename to Sources/AppAuthTV/OIDTVAuthorizationService.h
diff --git a/Source/AppAuthTV/OIDTVAuthorizationService.m b/Sources/AppAuthTV/OIDTVAuthorizationService.m
similarity index 100%
rename from Source/AppAuthTV/OIDTVAuthorizationService.m
rename to Sources/AppAuthTV/OIDTVAuthorizationService.m
diff --git a/Source/AppAuthTV/OIDTVServiceConfiguration.h b/Sources/AppAuthTV/OIDTVServiceConfiguration.h
similarity index 100%
rename from Source/AppAuthTV/OIDTVServiceConfiguration.h
rename to Sources/AppAuthTV/OIDTVServiceConfiguration.h
diff --git a/Source/AppAuthTV/OIDTVServiceConfiguration.m b/Sources/AppAuthTV/OIDTVServiceConfiguration.m
similarity index 100%
rename from Source/AppAuthTV/OIDTVServiceConfiguration.m
rename to Sources/AppAuthTV/OIDTVServiceConfiguration.m
diff --git a/Source/AppAuthTV/OIDTVTokenRequest.h b/Sources/AppAuthTV/OIDTVTokenRequest.h
similarity index 75%
rename from Source/AppAuthTV/OIDTVTokenRequest.h
rename to Sources/AppAuthTV/OIDTVTokenRequest.h
index 5a81c7434..8643b4cc5 100644
--- a/Source/AppAuthTV/OIDTVTokenRequest.h
+++ b/Sources/AppAuthTV/OIDTVTokenRequest.h
@@ -35,14 +35,14 @@ NS_ASSUME_NONNULL_BEGIN
 
 /*! @internal
     @brief Unavailable. Please use
-        @c initWithConfiguration:deviceCode:clientID:clientSecret:additionalParameters:
+        @c initWithConfiguration:deviceCode:clientID:clientSecret:additionalParameters:additionalHeaders:
         or @c initWithCoder:.
 */
 - (instancetype)init NS_UNAVAILABLE;
 
 /*! @internal
     @brief Unavailable. Please use
-        @c initWithConfiguration:deviceCode:clientID:clientSecret:additionalParameters:
+        @c initWithConfiguration:deviceCode:clientID:clientSecret:additionalParameters:additionalHeaders:
         or @c initWithCoder:.
 */
 - (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
@@ -56,11 +56,13 @@ NS_ASSUME_NONNULL_BEGIN
                          codeVerifier:(nullable NSString *)codeVerifier
                  additionalParameters:
                      (nullable NSDictionary<NSString *, NSString *> *)additionalParameters
+                    additionalHeaders:
+                     (nullable NSDictionary<NSString *, NSString *> *)additionalHeaders
     NS_UNAVAILABLE;
 
 /*! @internal
     @brief Unavailable. Please use
-        @c initWithConfiguration:deviceCode:clientID:clientSecret:additionalParameters:
+        @c initWithConfiguration:deviceCode:clientID:clientSecret:additionalParameters:additionalHeaders:
         or @c initWithCoder:.
 */
 - (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
@@ -74,6 +76,8 @@ NS_ASSUME_NONNULL_BEGIN
                          codeVerifier:(nullable NSString *)codeVerifier
                  additionalParameters:
                      (nullable NSDictionary<NSString *, NSString *> *)additionalParameters
+                    additionalHeaders:
+                     (nullable NSDictionary<NSString *, NSString *> *)additionalHeaders
     NS_UNAVAILABLE;
 
 /*! @brief Designated initializer.
@@ -83,12 +87,29 @@ NS_ASSUME_NONNULL_BEGIN
     @param clientSecret The client secret (nullable).
     @param additionalParameters The client's additional token request parameters.
 */
+- (instancetype)initWithConfiguration:(OIDTVServiceConfiguration *)configuration
+                           deviceCode:(NSString *)deviceCode
+                             clientID:(NSString *)clientID
+                         clientSecret:(nullable NSString *)clientSecret
+                 additionalParameters:
+                     (nullable NSDictionary<NSString *, NSString *> *)additionalParameters;
+
+/*! @brief Designated initializer.
+    @param configuration The service's configuration.
+    @param deviceCode The device verification code received from the authorization server.
+    @param clientID The client identifier.
+    @param clientSecret The client secret (nullable).
+    @param additionalParameters The client's additional token request parameters.
+    @param additionalHeaders The client's additional token request headers.
+*/
 - (instancetype)initWithConfiguration:(OIDTVServiceConfiguration *)configuration
                            deviceCode:(NSString *)deviceCode
                              clientID:(NSString *)clientID
                          clientSecret:(nullable NSString *)clientSecret
                  additionalParameters:
                      (nullable NSDictionary<NSString *, NSString *> *)additionalParameters
+                    additionalHeaders:
+                     (nullable NSDictionary<NSString *, NSString *> *)additionalHeaders
     NS_DESIGNATED_INITIALIZER;
 
 /*! @brief Designated initializer for NSSecureCoding.
diff --git a/Source/AppAuthTV/OIDTVTokenRequest.m b/Sources/AppAuthTV/OIDTVTokenRequest.m
similarity index 82%
rename from Source/AppAuthTV/OIDTVTokenRequest.m
rename to Sources/AppAuthTV/OIDTVTokenRequest.m
index 88874a817..0878c7934 100644
--- a/Source/AppAuthTV/OIDTVTokenRequest.m
+++ b/Sources/AppAuthTV/OIDTVTokenRequest.m
@@ -43,6 +43,7 @@ - (instancetype)init OID_UNAVAILABLE_USE_INITIALIZER(@selector
                                                                      clientID:
                                                                  clientSecret:
                                                          additionalParameters:
+                                                            additionalHeaders:
                                                              ))
 
 - (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
@@ -56,12 +57,15 @@ - (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
                          codeVerifier:(nullable NSString *)codeVerifier
                  additionalParameters:
                      (nullable NSDictionary<NSString *, NSString *> *)additionalParameters
+                    additionalHeaders:
+                     (nullable NSDictionary<NSString *, NSString *> *)additionalHeaders
     OID_UNAVAILABLE_USE_INITIALIZER(@selector
                                     (initWithConfiguration:
                                                   deviceCode:
                                                     clientID:
                                                 clientSecret:
                                         additionalParameters:
+                                           additionalHeaders:
                                             ))
 
 - (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
@@ -75,12 +79,15 @@ - (instancetype)initWithConfiguration:(OIDServiceConfiguration *)configuration
                          codeVerifier:(nullable NSString *)codeVerifier
                  additionalParameters:
                      (nullable NSDictionary<NSString *, NSString *> *)additionalParameters
+                    additionalHeaders:
+                     (nullable NSDictionary<NSString *, NSString *> *)additionalHeaders
     OID_UNAVAILABLE_USE_INITIALIZER(@selector
                                      (initWithConfiguration:
                                                   deviceCode:
                                                     clientID:
                                                 clientSecret:
                                         additionalParameters:
+                                           additionalHeaders:
                                               ))
 
 - (instancetype)initWithConfiguration:(OIDTVServiceConfiguration *)configuration
@@ -88,6 +95,20 @@ - (instancetype)initWithConfiguration:(OIDTVServiceConfiguration *)configuration
                              clientID:(NSString *)clientID
                          clientSecret:(NSString *)clientSecret
                  additionalParameters:(NSDictionary<NSString *, NSString *> *)additionalParameters {
+  return [self initWithConfiguration:configuration
+                          deviceCode:deviceCode
+                            clientID:clientID
+                        clientSecret:clientSecret
+                additionalParameters:additionalParameters
+                   additionalHeaders:nil];
+}
+
+- (instancetype)initWithConfiguration:(OIDTVServiceConfiguration *)configuration
+                           deviceCode:(NSString *)deviceCode
+                             clientID:(NSString *)clientID
+                         clientSecret:(NSString *)clientSecret
+                 additionalParameters:(NSDictionary<NSString *, NSString *> *)additionalParameters
+                    additionalHeaders:(NSDictionary<NSString *, NSString *> *)additionalHeaders {
   self = [super initWithConfiguration:configuration
                             grantType:kOIDTVDeviceTokenGrantType
                     authorizationCode:nil
@@ -97,7 +118,8 @@ - (instancetype)initWithConfiguration:(OIDTVServiceConfiguration *)configuration
                                 scope:nil
                          refreshToken:nil
                          codeVerifier:nil
-                 additionalParameters:additionalParameters];
+                 additionalParameters:additionalParameters
+                    additionalHeaders:additionalHeaders];
 
   if (self) {
     _deviceCode = [deviceCode copy];
diff --git a/Sources/AppAuthTV/Resources/PrivacyInfo.xcprivacy b/Sources/AppAuthTV/Resources/PrivacyInfo.xcprivacy
new file mode 100644
index 000000000..cc6746dcb
--- /dev/null
+++ b/Sources/AppAuthTV/Resources/PrivacyInfo.xcprivacy
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>NSPrivacyAccessedAPITypes</key>
+	<array>
+	</array>
+	<key>NSPrivacyCollectedDataTypes</key>
+	<array>
+	</array>
+	<key>NSPrivacyTrackingDomains</key>
+	<array/>
+	<key>NSPrivacyTracking</key>
+	<false/>
+</dict>
+</plist>
diff --git a/Source/CoreFramework/AppAuthCore.h b/Sources/CoreFramework/AppAuthCore.h
similarity index 100%
rename from Source/CoreFramework/AppAuthCore.h
rename to Sources/CoreFramework/AppAuthCore.h
diff --git a/Source/CoreFramework/Info.plist b/Sources/CoreFramework/Info.plist
similarity index 100%
rename from Source/CoreFramework/Info.plist
rename to Sources/CoreFramework/Info.plist
diff --git a/Source/Framework/AppAuth.h b/Sources/Framework/AppAuth.h
similarity index 100%
rename from Source/Framework/AppAuth.h
rename to Sources/Framework/AppAuth.h
diff --git a/Source/Framework/Info.plist b/Sources/Framework/Info.plist
similarity index 100%
rename from Source/Framework/Info.plist
rename to Sources/Framework/Info.plist
diff --git a/Source/TVFramework/AppAuthTV.h b/Sources/TVFramework/AppAuthTV.h
similarity index 100%
rename from Source/TVFramework/AppAuthTV.h
rename to Sources/TVFramework/AppAuthTV.h
diff --git a/Source/TVFramework/Info.plist b/Sources/TVFramework/Info.plist
similarity index 100%
rename from Source/TVFramework/Info.plist
rename to Sources/TVFramework/Info.plist
diff --git a/UnitTests/AppAuthTV/OIDTVAuthorizationRequestTests.m b/UnitTests/AppAuthTV/OIDTVAuthorizationRequestTests.m
index 7b1d19c95..a5ccd6e1d 100644
--- a/UnitTests/AppAuthTV/OIDTVAuthorizationRequestTests.m
+++ b/UnitTests/AppAuthTV/OIDTVAuthorizationRequestTests.m
@@ -21,10 +21,10 @@
 #if SWIFT_PACKAGE
 @import AppAuthTV;
 #else
-#import "Source/AppAuthCore/OIDScopeUtilities.h"
-#import "Source/AppAuthCore/OIDURLQueryComponent.h"
-#import "Source/AppAuthTV/OIDTVAuthorizationRequest.h"
-#import "Source/AppAuthTV/OIDTVServiceConfiguration.h"
+#import "Sources/AppAuthCore/OIDScopeUtilities.h"
+#import "Sources/AppAuthCore/OIDURLQueryComponent.h"
+#import "Sources/AppAuthTV/OIDTVAuthorizationRequest.h"
+#import "Sources/AppAuthTV/OIDTVServiceConfiguration.h"
 #endif
 
 // Ignore warnings about "Use of GNU statement expression extension" which is raised by our use of
diff --git a/UnitTests/AppAuthTV/OIDTVAuthorizationResponseTests.h b/UnitTests/AppAuthTV/OIDTVAuthorizationResponseTests.h
index 32497c854..2ffbc5775 100644
--- a/UnitTests/AppAuthTV/OIDTVAuthorizationResponseTests.h
+++ b/UnitTests/AppAuthTV/OIDTVAuthorizationResponseTests.h
@@ -48,10 +48,10 @@ NS_ASSUME_NONNULL_BEGIN
  */
 - (void)testTokenPollRequest;
 
-/*! @brief Tests the @c tokenPollRequestWithAdditionalParameters method with one additional
-        parameter.
+/*! @brief Tests the @c testTokenPollRequestWithAdditionalParametersAdditionalHeaders method with one additional
+        parameter and one additional header.
  */
-- (void)testTokenPollRequestWithAdditionalParameters;
+- (void)testTokenPollRequestWithAdditionalParametersAdditionalHeaders;
 
 @end
 
diff --git a/UnitTests/AppAuthTV/OIDTVAuthorizationResponseTests.m b/UnitTests/AppAuthTV/OIDTVAuthorizationResponseTests.m
index a6d1bb2f5..436232322 100644
--- a/UnitTests/AppAuthTV/OIDTVAuthorizationResponseTests.m
+++ b/UnitTests/AppAuthTV/OIDTVAuthorizationResponseTests.m
@@ -21,12 +21,12 @@
 #if SWIFT_PACKAGE
 @import AppAuthTV;
 #else
-#import "Source/AppAuthCore/OIDScopeUtilities.h"
-#import "Source/AppAuthCore/OIDURLQueryComponent.h"
-#import "Source/AppAuthTV/OIDTVAuthorizationRequest.h"
-#import "Source/AppAuthTV/OIDTVAuthorizationResponse.h"
-#import "Source/AppAuthTV/OIDTVServiceConfiguration.h"
-#import "Source/AppAuthTV/OIDTVTokenRequest.h"
+#import "Sources/AppAuthCore/OIDScopeUtilities.h"
+#import "Sources/AppAuthCore/OIDURLQueryComponent.h"
+#import "Sources/AppAuthTV/OIDTVAuthorizationRequest.h"
+#import "Sources/AppAuthTV/OIDTVAuthorizationResponse.h"
+#import "Sources/AppAuthTV/OIDTVServiceConfiguration.h"
+#import "Sources/AppAuthTV/OIDTVTokenRequest.h"
 #endif
 
 /*! @brief Test value for the @c deviceAuthorizationEndpoint property.
@@ -45,6 +45,14 @@
  */
 static NSString *const kTestAdditionalParameterValue = @"1";
 
+/*! @brief Test key for the @c additionalHeaders property.
+ */
+static NSString *const kTestAdditionalHeaderKey = @"B";
+
+/*! @brief Test value for the @c additionalHeaders property.
+ */
+static NSString *const kTestAdditionalHeaderValue = @"2";
+
 /*! @brief Test value for the @c clientID property.
  */
 static NSString *const kTestClientID = @"ClientID";
@@ -262,22 +270,26 @@ - (void)testTokenPollRequest {
   XCTAssertEqualObjects(pollRequest.additionalParameters, @{});
 }
 
-/*! @brief Tests the @c tokenPollRequestWithAdditionalParameters method with one additional
-         parameter.
+/*! @brief Tests the @c testTokenPollRequestWithAdditionalParametersAdditionalHeaders method with one additional
+         parameter and one additional header.
  */
-- (void)testTokenPollRequestWithAdditionalParameters {
+- (void)testTokenPollRequestWithAdditionalParametersAdditionalHeaders {
   OIDTVAuthorizationResponse *testResponse = [self testAuthorizationResponse];
 
   NSDictionary<NSString *, NSString *> *testAdditionalParameters =
       @{kTestAdditionalParameterKey : kTestAdditionalParameterValue};
+  
+  NSDictionary<NSString *, NSString *> *testAdditionalHeaders =
+      @{kTestAdditionalHeaderKey : kTestAdditionalHeaderValue};
 
   OIDTVTokenRequest *pollRequest =
-      [testResponse tokenPollRequestWithAdditionalParameters:testAdditionalParameters];
+      [testResponse tokenPollRequestWithAdditionalParameters:testAdditionalParameters additionalHeaders:testAdditionalHeaders];
 
   XCTAssertEqualObjects(pollRequest.deviceCode, kTestDeviceCode);
   XCTAssertEqualObjects(pollRequest.clientID, kTestClientID);
   XCTAssertEqualObjects(pollRequest.clientSecret, kTestClientSecret);
   XCTAssertEqualObjects(pollRequest.additionalParameters, testAdditionalParameters);
+  XCTAssertEqualObjects(pollRequest.additionalHeaders, testAdditionalHeaders);
 }
 
 @end
diff --git a/UnitTests/AppAuthTV/OIDTVTokenRequestTests.m b/UnitTests/AppAuthTV/OIDTVTokenRequestTests.m
index cf0bf4963..cd56344fd 100644
--- a/UnitTests/AppAuthTV/OIDTVTokenRequestTests.m
+++ b/UnitTests/AppAuthTV/OIDTVTokenRequestTests.m
@@ -21,11 +21,11 @@
 #if SWIFT_PACKAGE
 @import AppAuthTV;
 #else
-#import "Source/AppAuthCore/OIDScopeUtilities.h"
-#import "Source/AppAuthTV/OIDTVAuthorizationRequest.h"
-#import "Source/AppAuthTV/OIDTVAuthorizationResponse.h"
-#import "Source/AppAuthTV/OIDTVServiceConfiguration.h"
-#import "Source/AppAuthTV/OIDTVTokenRequest.h"
+#import "Sources/AppAuthCore/OIDScopeUtilities.h"
+#import "Sources/AppAuthTV/OIDTVAuthorizationRequest.h"
+#import "Sources/AppAuthTV/OIDTVAuthorizationResponse.h"
+#import "Sources/AppAuthTV/OIDTVServiceConfiguration.h"
+#import "Sources/AppAuthTV/OIDTVTokenRequest.h"
 #endif
 
 // Ignore warnings about "Use of GNU statement expression extension" which is
@@ -50,6 +50,14 @@
  */
 static NSString *const kTestAdditionalParameterValue = @"1";
 
+/*! @brief Test key for the @c additionalHeaders property.
+ */
+static NSString *const kTestAdditionalHeaderKey = @"B";
+
+/*! @brief Test value for the @c additionalHeaders property.
+ */
+static NSString *const kTestAdditionalHeaderValue = @"2";
+
 /*! @brief Test key for the @c clientID parameter in the HTTP request.
  */
 static NSString *const kTestClientIDKey = @"client_id";
@@ -121,7 +129,8 @@ - (OIDTVTokenRequest *)testTokenRequest {
                  deviceCode:kDeviceCodeValue
                    clientID:kTestClientID
                clientSecret:kTestClientSecret
-       additionalParameters:@{kTestAdditionalParameterKey : kTestAdditionalParameterValue}];
+       additionalParameters:@{kTestAdditionalParameterKey : kTestAdditionalParameterValue}
+          additionalHeaders:@{kTestAdditionalHeaderKey : kTestAdditionalHeaderValue}];
 }
 
 /*! @brief Tests the initializer
@@ -139,6 +148,8 @@ - (void)testInitializer {
   XCTAssertEqualObjects(request.clientSecret, kTestClientSecret);
   XCTAssertEqualObjects(request.additionalParameters,
                         @{kTestAdditionalParameterKey:kTestAdditionalParameterValue});
+  XCTAssertEqualObjects(request.additionalHeaders,
+                        @{kTestAdditionalHeaderKey:kTestAdditionalHeaderValue});
 }
 
 /*! @brief Tests the @c NSCopying implementation by round-tripping an instance through the copying
diff --git a/UnitTests/OIDAuthStateTests.h b/UnitTests/OIDAuthStateTests.h
index 2f1a62ab1..3bd1eb6fb 100644
--- a/UnitTests/OIDAuthStateTests.h
+++ b/UnitTests/OIDAuthStateTests.h
@@ -21,8 +21,8 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDAuthStateChangeDelegate.h"
-#import "Source/AppAuthCore/OIDAuthStateErrorDelegate.h"
+#import "Sources/AppAuthCore/OIDAuthStateChangeDelegate.h"
+#import "Sources/AppAuthCore/OIDAuthStateErrorDelegate.h"
 #endif
 
 @class OIDAuthState;
diff --git a/UnitTests/OIDAuthStateTests.m b/UnitTests/OIDAuthStateTests.m
index 4d7c3a8b7..051902833 100644
--- a/UnitTests/OIDAuthStateTests.m
+++ b/UnitTests/OIDAuthStateTests.m
@@ -25,11 +25,11 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDAuthState.h"
-#import "Source/AppAuthCore/OIDAuthorizationResponse.h"
-#import "Source/AppAuthCore/OIDErrorUtilities.h"
-#import "Source/AppAuthCore/OIDRegistrationResponse.h"
-#import "Source/AppAuthCore/OIDTokenResponse.h"
+#import "Sources/AppAuthCore/OIDAuthState.h"
+#import "Sources/AppAuthCore/OIDAuthorizationResponse.h"
+#import "Sources/AppAuthCore/OIDErrorUtilities.h"
+#import "Sources/AppAuthCore/OIDRegistrationResponse.h"
+#import "Sources/AppAuthCore/OIDTokenResponse.h"
 #endif
 
 #import "OIDTokenRequestTests.h"
@@ -435,6 +435,27 @@ - (void)testIsTokenFreshHandlesTokenWithoutExpirationTime {
   XCTAssertEqual([authState isTokenFresh], YES, @"");
 }
 
+- (void)testThatRefreshTokenExceptionWillBeRaisedForTokenRequestWithAdditionalParameters {
+  OIDAuthState *authState = [[OIDAuthState alloc] initWithAuthorizationResponse:nil tokenResponse:nil registrationResponse:nil];
+  XCTAssertThrowsSpecificNamed([authState tokenRefreshRequestWithAdditionalParameters:nil],
+                               NSException,
+                               kRefreshTokenRequestException);
+}
+
+- (void)testThatRefreshTokenExceptionWillBeRaisedForTokenRequestWithAdditionalHeaders {
+  OIDAuthState *authState = [[OIDAuthState alloc] initWithAuthorizationResponse:nil tokenResponse:nil registrationResponse:nil];
+  XCTAssertThrowsSpecificNamed([authState tokenRefreshRequestWithAdditionalHeaders:nil],
+                               NSException,
+                               kRefreshTokenRequestException);
+}
+
+- (void)testThatRefreshTokenExceptionWillBeRaisedForTokenRequestWithAdditionalParametersAndHeaders {
+  OIDAuthState *authState = [[OIDAuthState alloc] initWithAuthorizationResponse:nil tokenResponse:nil registrationResponse:nil];
+  XCTAssertThrowsSpecificNamed([authState tokenRefreshRequestWithAdditionalHeaders:nil],
+                               NSException,
+                               kRefreshTokenRequestException);
+}
+
 @end
 
 #pragma GCC diagnostic pop
diff --git a/UnitTests/OIDAuthorizationRequestTests.m b/UnitTests/OIDAuthorizationRequestTests.m
index 06bfc6c13..dd1329383 100644
--- a/UnitTests/OIDAuthorizationRequestTests.m
+++ b/UnitTests/OIDAuthorizationRequestTests.m
@@ -23,9 +23,9 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDAuthorizationRequest.h"
-#import "Source/AppAuthCore/OIDScopeUtilities.h"
-#import "Source/AppAuthCore/OIDServiceConfiguration.h"
+#import "Sources/AppAuthCore/OIDAuthorizationRequest.h"
+#import "Sources/AppAuthCore/OIDScopeUtilities.h"
+#import "Sources/AppAuthCore/OIDServiceConfiguration.h"
 #endif
 
 // Ignore warnings about "Use of GNU statement expression extension" which is raised by our use of
@@ -223,6 +223,29 @@ - (void)testScopeInitializerWithManyScopesAndNoClientSecret {
                         kTestAdditionalParameterValue, @"");
 }
 
+
+/*! @brief Tests the initializer which takes a nonce
+ */
+- (void)testNonceInitializer {
+  OIDServiceConfiguration *configuration = [OIDServiceConfigurationTests testInstance];
+  OIDAuthorizationRequest *request =
+      [[OIDAuthorizationRequest alloc] initWithConfiguration:configuration
+                                                    clientId:kTestClientID
+                                                      scopes:@[]
+                                                 redirectURL:[NSURL URLWithString:kTestRedirectURL]
+                                                responseType:OIDResponseTypeCode
+                                                       nonce:kTestNonce
+                                        additionalParameters:nil];
+
+  XCTAssertEqualObjects(request.nonce, kTestNonce);
+  XCTAssertEqualObjects(request.responseType, @"code");
+  XCTAssertEqualObjects(request.scope, @"");
+  XCTAssertEqualObjects(request.clientID, kTestClientID);
+  XCTAssertNil(request.clientSecret);
+  XCTAssertEqualObjects(request.redirectURL, [NSURL URLWithString:kTestRedirectURL]);
+  XCTAssertEqualObjects(@(request.additionalParameters.count), @0);
+}
+
 - (void)testScopeInitializerWithManyScopesAndClientSecret {
   NSDictionary *additionalParameters =
       @{ kTestAdditionalParameterKey : kTestAdditionalParameterValue };
diff --git a/UnitTests/OIDAuthorizationResponseTests.m b/UnitTests/OIDAuthorizationResponseTests.m
index 10e48eaa8..3aded7eaa 100644
--- a/UnitTests/OIDAuthorizationResponseTests.m
+++ b/UnitTests/OIDAuthorizationResponseTests.m
@@ -23,9 +23,9 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDAuthorizationRequest.h"
-#import "Source/AppAuthCore/OIDAuthorizationResponse.h"
-#import "Source/AppAuthCore/OIDGrantTypes.h"
+#import "Sources/AppAuthCore/OIDAuthorizationRequest.h"
+#import "Sources/AppAuthCore/OIDAuthorizationResponse.h"
+#import "Sources/AppAuthCore/OIDGrantTypes.h"
 #endif
 
 // Ignore warnings about "Use of GNU statement expression extension" which is raised by our use of
diff --git a/UnitTests/OIDEndSessionRequestTests.m b/UnitTests/OIDEndSessionRequestTests.m
index 4620d3b82..38543c8d3 100644
--- a/UnitTests/OIDEndSessionRequestTests.m
+++ b/UnitTests/OIDEndSessionRequestTests.m
@@ -23,9 +23,9 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDEndSessionRequest.h"
-#import "Source/AppAuthCore/OIDServiceConfiguration.h"
-#import "Source/AppAuthCore/OIDServiceDiscovery.h"
+#import "Sources/AppAuthCore/OIDEndSessionRequest.h"
+#import "Sources/AppAuthCore/OIDServiceConfiguration.h"
+#import "Sources/AppAuthCore/OIDServiceDiscovery.h"
 #endif
 
 /*! @brief Test value for the @c redirectURL property.
diff --git a/UnitTests/OIDGrantTypesTests.m b/UnitTests/OIDGrantTypesTests.m
index 8c06d5701..b6efc8ea1 100644
--- a/UnitTests/OIDGrantTypesTests.m
+++ b/UnitTests/OIDGrantTypesTests.m
@@ -21,7 +21,7 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDGrantTypes.h"
+#import "Sources/AppAuthCore/OIDGrantTypes.h"
 #endif
 
 // Ignore warnings about "Use of GNU statement expression extension" which is raised by our use of
diff --git a/UnitTests/OIDRegistrationRequestTests.m b/UnitTests/OIDRegistrationRequestTests.m
index 5fbbd585e..440dab2a5 100644
--- a/UnitTests/OIDRegistrationRequestTests.m
+++ b/UnitTests/OIDRegistrationRequestTests.m
@@ -23,9 +23,9 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDClientMetadataParameters.h"
-#import "Source/AppAuthCore/OIDRegistrationRequest.h"
-#import "Source/AppAuthCore/OIDServiceConfiguration.h"
+#import "Sources/AppAuthCore/OIDClientMetadataParameters.h"
+#import "Sources/AppAuthCore/OIDRegistrationRequest.h"
+#import "Sources/AppAuthCore/OIDServiceConfiguration.h"
 #endif
 
 /*! @brief Test key for the @c additionalParameters property.
diff --git a/UnitTests/OIDRegistrationResponseTests.m b/UnitTests/OIDRegistrationResponseTests.m
index f747cc244..92e57e338 100644
--- a/UnitTests/OIDRegistrationResponseTests.m
+++ b/UnitTests/OIDRegistrationResponseTests.m
@@ -24,8 +24,8 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDRegistrationRequest.h"
-#import "Source/AppAuthCore/OIDRegistrationResponse.h"
+#import "Sources/AppAuthCore/OIDRegistrationRequest.h"
+#import "Sources/AppAuthCore/OIDRegistrationResponse.h"
 #endif
 
 /*! @brief The test value for the @c clientID property.
diff --git a/UnitTests/OIDResponseTypesTests.m b/UnitTests/OIDResponseTypesTests.m
index 5402ebbf5..659597735 100644
--- a/UnitTests/OIDResponseTypesTests.m
+++ b/UnitTests/OIDResponseTypesTests.m
@@ -21,7 +21,7 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDResponseTypes.h"
+#import "Sources/AppAuthCore/OIDResponseTypes.h"
 #endif
 
 // Ignore warnings about "Use of GNU statement expression extension" which is raised by our use of
diff --git a/UnitTests/OIDScopesTests.m b/UnitTests/OIDScopesTests.m
index 2d9173748..b5276ebd8 100644
--- a/UnitTests/OIDScopesTests.m
+++ b/UnitTests/OIDScopesTests.m
@@ -21,7 +21,7 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDScopes.h"
+#import "Sources/AppAuthCore/OIDScopes.h"
 #endif
 
 // Ignore warnings about "Use of GNU statement expression extension" which is raised by our use of
diff --git a/UnitTests/OIDServiceConfigurationTests.m b/UnitTests/OIDServiceConfigurationTests.m
index 3be785e60..7f4fcb11c 100644
--- a/UnitTests/OIDServiceConfigurationTests.m
+++ b/UnitTests/OIDServiceConfigurationTests.m
@@ -25,10 +25,10 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDAuthorizationService.h"
-#import "Source/AppAuthCore/OIDError.h"
-#import "Source/AppAuthCore/OIDServiceConfiguration.h"
-#import "Source/AppAuthCore/OIDServiceDiscovery.h"
+#import "Sources/AppAuthCore/OIDAuthorizationService.h"
+#import "Sources/AppAuthCore/OIDError.h"
+#import "Sources/AppAuthCore/OIDServiceConfiguration.h"
+#import "Sources/AppAuthCore/OIDServiceDiscovery.h"
 #endif
 
 // Ignore warnings about "Use of GNU statement expression extension" which is raised by our use of
diff --git a/UnitTests/OIDServiceDiscoveryTests.m b/UnitTests/OIDServiceDiscoveryTests.m
index 6329feab3..6d9faf799 100644
--- a/UnitTests/OIDServiceDiscoveryTests.m
+++ b/UnitTests/OIDServiceDiscoveryTests.m
@@ -21,8 +21,8 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDError.h"
-#import "Source/AppAuthCore/OIDServiceDiscovery.h"
+#import "Sources/AppAuthCore/OIDError.h"
+#import "Sources/AppAuthCore/OIDServiceDiscovery.h"
 #endif
 
 // Ignore warnings about "Use of GNU statement expression extension" which is raised by our use of
diff --git a/UnitTests/OIDTokenRequestTests.m b/UnitTests/OIDTokenRequestTests.m
index 4211ef70a..c387bd809 100644
--- a/UnitTests/OIDTokenRequestTests.m
+++ b/UnitTests/OIDTokenRequestTests.m
@@ -24,11 +24,11 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDAuthorizationRequest.h"
-#import "Source/AppAuthCore/OIDAuthorizationResponse.h"
-#import "Source/AppAuthCore/OIDScopeUtilities.h"
-#import "Source/AppAuthCore/OIDServiceConfiguration.h"
-#import "Source/AppAuthCore/OIDTokenRequest.h"
+#import "Sources/AppAuthCore/OIDAuthorizationRequest.h"
+#import "Sources/AppAuthCore/OIDAuthorizationResponse.h"
+#import "Sources/AppAuthCore/OIDScopeUtilities.h"
+#import "Sources/AppAuthCore/OIDServiceConfiguration.h"
+#import "Sources/AppAuthCore/OIDTokenRequest.h"
 #endif
 
 // Ignore warnings about "Use of GNU statement expression extension" which is raised by our use of
@@ -48,6 +48,22 @@
  */
 static NSString *const kTestAdditionalParameterValue = @"1";
 
+/*! @brief Test key for the @c additionalHeaders property.
+ */
+static NSString *const kTestAdditionalHeaderKey = @"B";
+
+/*! @brief Test value for the @c additionalHeaders property.
+ */
+static NSString *const kTestAdditionalHeaderValue = @"2";
+
+/*! @brief Test key for the @c additionalHeaders property.
+ */
+static NSString *const kTestAdditionalHeaderKey2 = @"C";
+
+/*! @brief Test value for the @c additionalHeaders property.
+ */
+static NSString *const kTestAdditionalHeaderValue2 = @"3";
+
 @implementation OIDTokenRequestTests
 
 + (OIDTokenRequest *)testInstance {
@@ -56,6 +72,9 @@ + (OIDTokenRequest *)testInstance {
       [OIDScopeUtilities scopesArrayWithString:authResponse.request.scope];
   NSDictionary *additionalParameters =
       @{ kTestAdditionalParameterKey : kTestAdditionalParameterValue };
+  NSDictionary *additionalHeaders =
+      @{ kTestAdditionalHeaderKey : kTestAdditionalHeaderValue };
+  
   OIDTokenRequest *request =
       [[OIDTokenRequest alloc] initWithConfiguration:authResponse.request.configuration
                                            grantType:OIDGrantTypeAuthorizationCode
@@ -66,7 +85,8 @@ + (OIDTokenRequest *)testInstance {
                                               scopes:scopesArray
                                         refreshToken:kRefreshTokenTestValue
                                         codeVerifier:authResponse.request.codeVerifier
-                                additionalParameters:additionalParameters];
+                                additionalParameters:additionalParameters
+                                   additionalHeaders:additionalHeaders];
   return request;
 }
 
@@ -76,6 +96,9 @@ + (OIDTokenRequest *)testInstanceCodeExchange {
       [OIDScopeUtilities scopesArrayWithString:authResponse.request.scope];
   NSDictionary *additionalParameters =
       @{ kTestAdditionalParameterKey : kTestAdditionalParameterValue };
+  NSDictionary *additionalHeaders =
+      @{ kTestAdditionalHeaderKey : kTestAdditionalHeaderValue };
+  
   OIDTokenRequest *request =
       [[OIDTokenRequest alloc] initWithConfiguration:authResponse.request.configuration
                                            grantType:OIDGrantTypeAuthorizationCode
@@ -86,7 +109,8 @@ + (OIDTokenRequest *)testInstanceCodeExchange {
                                               scopes:scopesArray
                                         refreshToken:kRefreshTokenTestValue
                                         codeVerifier:authResponse.request.codeVerifier
-                                additionalParameters:additionalParameters];
+                                additionalParameters:additionalParameters
+                                   additionalHeaders:additionalHeaders];
   return request;
 }
 
@@ -96,6 +120,9 @@ + (OIDTokenRequest *)testInstanceCodeExchangeClientAuth {
       [OIDScopeUtilities scopesArrayWithString:authResponse.request.scope];
   NSDictionary *additionalParameters =
       @{ kTestAdditionalParameterKey : kTestAdditionalParameterValue };
+  NSDictionary *additionalHeaders =
+      @{ kTestAdditionalHeaderKey : kTestAdditionalHeaderValue };
+  
   OIDTokenRequest *request =
       [[OIDTokenRequest alloc] initWithConfiguration:authResponse.request.configuration
                                            grantType:OIDGrantTypeAuthorizationCode
@@ -106,7 +133,8 @@ + (OIDTokenRequest *)testInstanceCodeExchangeClientAuth {
                                               scopes:scopesArray
                                         refreshToken:kRefreshTokenTestValue
                                         codeVerifier:authResponse.request.codeVerifier
-                                additionalParameters:additionalParameters];
+                                additionalParameters:additionalParameters
+                                   additionalHeaders:additionalHeaders];
   return request;
 }
 
@@ -116,6 +144,9 @@ + (OIDTokenRequest *)testInstanceRefresh {
       [OIDScopeUtilities scopesArrayWithString:authResponse.request.scope];
   NSDictionary *additionalParameters =
       @{ kTestAdditionalParameterKey : kTestAdditionalParameterValue };
+  NSDictionary *additionalHeaders =
+      @{ kTestAdditionalHeaderKey : kTestAdditionalHeaderValue };
+  
   OIDTokenRequest *request =
       [[OIDTokenRequest alloc] initWithConfiguration:authResponse.request.configuration
                                            grantType:OIDGrantTypeAuthorizationCode
@@ -126,7 +157,34 @@ + (OIDTokenRequest *)testInstanceRefresh {
                                               scopes:scopesArray
                                         refreshToken:kRefreshTokenTestValue
                                         codeVerifier:authResponse.request.codeVerifier
-                                additionalParameters:additionalParameters];
+                                additionalParameters:additionalParameters
+                                   additionalHeaders:additionalHeaders];
+  return request;
+}
+
++ (OIDTokenRequest *)testInstanceAdditionalHeaders {
+  OIDAuthorizationResponse *authResponse = [OIDAuthorizationResponseTests testInstance];
+  NSArray<NSString *> *scopesArray =
+      [OIDScopeUtilities scopesArrayWithString:authResponse.request.scope];
+  NSDictionary *additionalParameters =
+      @{ kTestAdditionalParameterKey : kTestAdditionalParameterValue };
+  NSDictionary *additionalHeaders = @{
+    kTestAdditionalHeaderKey : kTestAdditionalHeaderValue,
+    kTestAdditionalHeaderKey2 : kTestAdditionalHeaderValue2
+  };
+  
+  OIDTokenRequest *request =
+      [[OIDTokenRequest alloc] initWithConfiguration:authResponse.request.configuration
+                                           grantType:OIDGrantTypeAuthorizationCode
+                                   authorizationCode:authResponse.authorizationCode
+                                         redirectURL:authResponse.request.redirectURL
+                                            clientID:authResponse.request.clientID
+                                        clientSecret:authResponse.request.clientSecret
+                                              scopes:scopesArray
+                                        refreshToken:kRefreshTokenTestValue
+                                        codeVerifier:authResponse.request.codeVerifier
+                                additionalParameters:additionalParameters
+                                   additionalHeaders:additionalHeaders];
   return request;
 }
 
@@ -157,11 +215,17 @@ - (void)testCopying {
   XCTAssertEqualObjects(request.codeVerifier, authResponse.request.codeVerifier,
                         @"Request and response codeVerifiers should be equal.");
   XCTAssertNotNil(request.additionalParameters,
-                        @"Request's additionalParameters field should not be nil.");
+                  @"Request's additionalParameters field should not be nil.");
   XCTAssertEqualObjects(request.additionalParameters[kTestAdditionalParameterKey],
                         kTestAdditionalParameterValue,
                         @"The request's kTestAdditionalParameterKey additional parameter should "
                         "be equal to kTestAdditionalParameterValue.");
+  XCTAssertNotNil(request.additionalHeaders,
+                  @"Request's additionalHeaders field should not be nil.");
+  XCTAssertEqualObjects(request.additionalHeaders[kTestAdditionalHeaderKey],
+                        kTestAdditionalHeaderValue,
+                        @"The request's kTestAdditionalHeaderKey additional parameter should "
+                        "be equal to kTestAdditionalHeaderValue.");
 
   OIDTokenRequest *requestCopy = [request copy];
 
@@ -181,6 +245,9 @@ - (void)testCopying {
   XCTAssertNotNil(requestCopy.additionalParameters, @"");
   XCTAssertEqualObjects(requestCopy.additionalParameters[kTestAdditionalParameterKey],
                         kTestAdditionalParameterValue, @"");
+  XCTAssertNotNil(requestCopy.additionalHeaders, @"");
+  XCTAssertEqualObjects(requestCopy.additionalHeaders[kTestAdditionalHeaderKey],
+                        kTestAdditionalHeaderValue, @"");
 }
 
 /*! @brief Tests the @c NSSecureCoding by round-tripping an instance through the coding process and
@@ -203,6 +270,13 @@ - (void)testSecureCoding {
   XCTAssertNotNil(request.additionalParameters, @"");
   XCTAssertEqualObjects(request.additionalParameters[kTestAdditionalParameterKey],
                         kTestAdditionalParameterValue, @"");
+  XCTAssertNotNil(request.additionalHeaders, @"");
+  XCTAssertEqualObjects(request.additionalHeaders[kTestAdditionalHeaderKey],
+                        kTestAdditionalHeaderValue, @"");
+  
+  NSURLRequest *urlRequest = [request URLRequest];
+  XCTAssertEqualObjects([urlRequest.allHTTPHeaderFields objectForKey:kTestAdditionalHeaderKey],
+                        kTestAdditionalHeaderValue);
 
   NSData *data = [NSKeyedArchiver archivedDataWithRootObject:request];
   OIDTokenRequest *requestCopy = [NSKeyedUnarchiver unarchiveObjectWithData:data];
@@ -224,6 +298,13 @@ - (void)testSecureCoding {
   XCTAssertNotNil(requestCopy.additionalParameters, @"");
   XCTAssertEqualObjects(requestCopy.additionalParameters[kTestAdditionalParameterKey],
                         kTestAdditionalParameterValue, @"");
+  XCTAssertNotNil(requestCopy.additionalHeaders, @"");
+  XCTAssertEqualObjects(requestCopy.additionalHeaders[kTestAdditionalHeaderKey],
+                        kTestAdditionalHeaderValue, @"");
+  
+  NSURLRequest *urlrequestCopy = [requestCopy URLRequest];
+  XCTAssertEqualObjects([urlrequestCopy.allHTTPHeaderFields objectForKey:kTestAdditionalHeaderKey],
+                        kTestAdditionalHeaderValue);
 }
 
 - (void)testURLRequestNoClientAuth {
@@ -248,6 +329,8 @@ - (void)testAuthorizationCodeNullRedirectURL {
       [OIDScopeUtilities scopesArrayWithString:authResponse.request.scope];
   NSDictionary *additionalParameters =
       @{ kTestAdditionalParameterKey : kTestAdditionalParameterValue };
+  NSDictionary *additionalHeaders =
+      @{ kTestAdditionalHeaderKey : kTestAdditionalHeaderValue };
   XCTAssertThrows([[OIDTokenRequest alloc] initWithConfiguration:authResponse.request.configuration
                                                        grantType:OIDGrantTypeAuthorizationCode
                                                authorizationCode:authResponse.authorizationCode
@@ -257,7 +340,19 @@ - (void)testAuthorizationCodeNullRedirectURL {
                                                           scopes:scopesArray
                                                     refreshToken:kRefreshTokenTestValue
                                                     codeVerifier:authResponse.request.codeVerifier
-                                            additionalParameters:additionalParameters], @"");
+                                            additionalParameters:additionalParameters
+                                               additionalHeaders:additionalHeaders], @"");
+}
+
+- (void)testThatAdditionalHeadersAreInTokenRequest {
+  OIDTokenRequest *request = [[self class] testInstanceAdditionalHeaders];
+  NSURLRequest* urlRequest = [request URLRequest];
+
+  XCTAssertEqualObjects([urlRequest.allHTTPHeaderFields objectForKey:kTestAdditionalHeaderKey],
+                        kTestAdditionalHeaderValue);
+  
+  XCTAssertEqualObjects([urlRequest.allHTTPHeaderFields objectForKey:kTestAdditionalHeaderKey2],
+                        kTestAdditionalHeaderValue2);
 }
 
 @end
diff --git a/UnitTests/OIDTokenResponseTests.m b/UnitTests/OIDTokenResponseTests.m
index 5d0a8f8ae..0eb525ed0 100644
--- a/UnitTests/OIDTokenResponseTests.m
+++ b/UnitTests/OIDTokenResponseTests.m
@@ -23,8 +23,8 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDTokenRequest.h"
-#import "Source/AppAuthCore/OIDTokenResponse.h"
+#import "Sources/AppAuthCore/OIDTokenRequest.h"
+#import "Sources/AppAuthCore/OIDTokenResponse.h"
 #endif
 
 // Ignore warnings about "Use of GNU statement expression extension" which is raised by our use of
diff --git a/UnitTests/OIDTokenUtilitiesTests.m b/UnitTests/OIDTokenUtilitiesTests.m
index 0a7ff15ec..783e81273 100644
--- a/UnitTests/OIDTokenUtilitiesTests.m
+++ b/UnitTests/OIDTokenUtilitiesTests.m
@@ -21,7 +21,7 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDTokenUtilities.h"
+#import "Sources/AppAuthCore/OIDTokenUtilities.h"
 #endif
 
 @interface OIDTokenUtilitiesTests : XCTestCase
diff --git a/UnitTests/OIDURLQueryComponentTests.m b/UnitTests/OIDURLQueryComponentTests.m
index d0eec3e5c..eac017c43 100644
--- a/UnitTests/OIDURLQueryComponentTests.m
+++ b/UnitTests/OIDURLQueryComponentTests.m
@@ -21,7 +21,7 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDURLQueryComponent.h"
+#import "Sources/AppAuthCore/OIDURLQueryComponent.h"
 #endif
 
 // Ignore warnings about "Use of GNU statement expression extension" which is raised by our use of
diff --git a/UnitTests/OIDURLQueryComponentTestsIOS7.m b/UnitTests/OIDURLQueryComponentTestsIOS7.m
index af26ef107..571f61bba 100644
--- a/UnitTests/OIDURLQueryComponentTestsIOS7.m
+++ b/UnitTests/OIDURLQueryComponentTestsIOS7.m
@@ -21,7 +21,7 @@
 #if SWIFT_PACKAGE
 @import AppAuthCore;
 #else
-#import "Source/AppAuthCore/OIDURLQueryComponent.h"
+#import "Sources/AppAuthCore/OIDURLQueryComponent.h"
 #endif
 
 // Ignore warnings about "Use of GNU statement expression extension" which is raised by our use of