diff --git a/.changelog/1667.txt b/.changelog/1667.txt
new file mode 100644
index 0000000000..44d6e7b604
--- /dev/null
+++ b/.changelog/1667.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_access_identity_provider: Add support for PKCE when creating IDPS.
+```
\ No newline at end of file
diff --git a/docs/resources/access_application.md b/docs/resources/access_application.md
index c50183b820..fe8bb8b211 100644
--- a/docs/resources/access_application.md
+++ b/docs/resources/access_application.md
@@ -40,11 +40,11 @@ zone needs to use the `zone_id` argument.
 - `enable_binding_cookie` (Boolean) Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to `false`.
 - `http_only_cookie_attribute` (Boolean) Option to add the `HttpOnly` cookie flag to access tokens. Defaults to `true`.
 - `logo_url` (String) Image URL for the logo shown in the app launcher dashboard.
-- `same_site_cookie_attribute` (String) Defines the same-site cookie setting for access tokens. Available values: `"none"`, `"lax"`, `"strict"`.
+- `same_site_cookie_attribute` (String) Defines the same-site cookie setting for access tokens. Available values: `none`, `lax`, `strict`.
 - `service_auth_401_redirect` (Boolean) Option to return a 401 status code in service authentication rules on failed requests. Defaults to `false`.
 - `session_duration` (String) How often a user will be forced to re-authorise. Must be in the format `48h` or `2h45m`. Defaults to `24h`.
 - `skip_interstitial` (Boolean) Option to skip the authorization interstitial when using the CLI. Defaults to `false`.
-- `type` (String) The application type. Available values: `"self_hosted"`, `"ssh"`, `"vnc"`, `"file"`. Defaults to `self_hosted`.
+- `type` (String) The application type. Available values: `self_hosted`, `ssh`, `vnc`, `file`. Defaults to `self_hosted`.
 - `zone_id` (String) The zone identifier to target for the resource. Conflicts with `account_id`.
 
 ### Read-Only
diff --git a/docs/resources/access_identity_provider.md b/docs/resources/access_identity_provider.md
index 303ab8847f..eedd11015d 100644
--- a/docs/resources/access_identity_provider.md
+++ b/docs/resources/access_identity_provider.md
@@ -22,7 +22,7 @@ zone needs to use the `zone_id` argument.
 ### Required
 
 - `name` (String) Friendly name of the Access Identity Provider configuration.
-- `type` (String) The provider type to use. Available values: `"centrify"`, `"facebook"`, `"google-apps"`, `"oidc"`, `"github"`, `"google"`, `"saml"`, `"linkedin"`, `"azureAD"`, `"okta"`, `"onetimepin"`, `"onelogin"`, `"yandex"`.
+- `type` (String) The provider type to use. Available values: `centrify`, `facebook`, `google-apps`, `oidc`, `github`, `google`, `saml`, `linkedin`, `azureAD`, `okta`, `onetimepin`, `onelogin`, `yandex`.
 
 ### Optional
 
@@ -54,6 +54,7 @@ Optional:
 - `issuer_url` (String)
 - `okta_account` (String)
 - `onelogin_account` (String)
+- `pkce_enabled` (Boolean)
 - `redirect_url` (String)
 - `sign_request` (Boolean)
 - `sso_target_url` (String)
diff --git a/docs/resources/access_policy.md b/docs/resources/access_policy.md
index a410d8d9c1..38221a83f0 100644
--- a/docs/resources/access_policy.md
+++ b/docs/resources/access_policy.md
@@ -22,7 +22,7 @@ zone needs to use the `zone_id` argument.
 ### Required
 
 - `application_id` (String) The ID of the application the policy is associated with.
-- `decision` (String) Defines the action Access will take if the policy matches the user. Available values: `"allow"`, `"deny"`, `"non_identity"`, `"bypass"`.
+- `decision` (String) Defines the action Access will take if the policy matches the user. Available values: `allow`, `deny`, `non_identity`, `bypass`.
 - `include` (Block List, Min: 1) A series of access conditions, see [Access Groups](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/access_group#conditions). (see [below for nested schema](#nestedblock--include))
 - `name` (String) Friendly name of the Access Policy.
 - `precedence` (Number) The unique precedence for policies on a single application.
diff --git a/docs/resources/access_rule.md b/docs/resources/access_rule.md
index cb58c231f4..f1d2daca3f 100644
--- a/docs/resources/access_rule.md
+++ b/docs/resources/access_rule.md
@@ -59,7 +59,7 @@ resource "cloudflare_access_rule" "office_network" {
 ### Required
 
 - `configuration` (Block List, Min: 1, Max: 1) Rule configuration to apply to a matched request. (see [below for nested schema](#nestedblock--configuration))
-- `mode` (String) The action to apply to a matched request. Available values: `"block"`, `"challenge"`, `"whitelist"`, `"js_challenge"`, `"managed_challenge"`.
+- `mode` (String) The action to apply to a matched request. Available values: `block`, `challenge`, `whitelist`, `js_challenge`, `managed_challenge`.
 
 ### Optional
 
@@ -75,7 +75,7 @@ resource "cloudflare_access_rule" "office_network" {
 
 Required:
 
-- `target` (String) The request property to target. Available values: `"ip"`, `"ip6"`, `"ip_range"`, `"asn"`, `"country"`.
+- `target` (String) The request property to target. Available values: `ip`, `ip6`, `ip_range`, `asn`, `country`.
 - `value` (String) The value to target. Depends on target's type.
 
 ## Import
diff --git a/docs/resources/api_token.md b/docs/resources/api_token.md
index 54b35c56bc..3b789f71ad 100644
--- a/docs/resources/api_token.md
+++ b/docs/resources/api_token.md
@@ -163,7 +163,7 @@ Required:
 
 Optional:
 
-- `effect` (String) Effect of the policy. Available values: `"allow"`, `"deny"`. Defaults to `allow`.
+- `effect` (String) Effect of the policy. Available values: `allow`, `deny`. Defaults to `allow`.
 
 
 <a id="nestedblock--condition"></a>
diff --git a/docs/resources/argo.md b/docs/resources/argo.md
index 58f04dfceb..8a23f107c8 100644
--- a/docs/resources/argo.md
+++ b/docs/resources/argo.md
@@ -27,8 +27,8 @@ resource "cloudflare_argo" "example" {
 
 ### Optional
 
-- `smart_routing` (String) Whether smart routing is enabled. Available values: `"on"`, `"off"`.
-- `tiered_caching` (String) Whether tiered caching is enabled. Available values: `"on"`, `"off"`.
+- `smart_routing` (String) Whether smart routing is enabled. Available values: `on`, `off`.
+- `tiered_caching` (String) Whether tiered caching is enabled. Available values: `on`, `off`.
 
 ### Read-Only
 
diff --git a/docs/resources/healthcheck.md b/docs/resources/healthcheck.md
index 4796e71a19..2ef27dcf45 100644
--- a/docs/resources/healthcheck.md
+++ b/docs/resources/healthcheck.md
@@ -73,13 +73,13 @@ resource "cloudflare_healthcheck" "tcp_health_check" {
 
 - `address` (String) The hostname or IP address of the origin server to run health checks on.
 - `name` (String) A short name to identify the health check. Only alphanumeric characters, hyphens, and underscores are allowed.
-- `type` (String) The protocol to use for the health check. Available values: `"TCP"`, `"HTTP"`, `"HTTPS"`.
+- `type` (String) The protocol to use for the health check. Available values: `TCP`, `HTTP`, `HTTPS`.
 - `zone_id` (String) The zone identifier to target for the resource.
 
 ### Optional
 
 - `allow_insecure` (Boolean) Do not validate the certificate when the health check uses HTTPS. Defaults to `false`.
-- `check_regions` (List of String) A list of regions from which to run health checks. If not set, Cloudflare will pick a default region. Available values: `"WNAM"`, `"ENAM"`, `"WEU"`, `"EEU"`, `"NSAM"`, `"SSAM"`, `"OC"`, `"ME"`, `"NAF"`, `"SAF"`, `"IN"`, `"SEAS"`, `"NEAS"`, `"ALL_REGIONS"`.
+- `check_regions` (List of String) A list of regions from which to run health checks. If not set, Cloudflare will pick a default region. Available values: `WNAM`, `ENAM`, `WEU`, `EEU`, `NSAM`, `SSAM`, `OC`, `ME`, `NAF`, `SAF`, `IN`, `SEAS`, `NEAS`, `ALL_REGIONS`.
 - `consecutive_fails` (Number) The number of consecutive fails required from a health check before changing the health to unhealthy. Defaults to `1`.
 - `consecutive_successes` (Number) The number of consecutive successes required from a health check before changing the health to healthy. Defaults to `1`.
 - `description` (String) A human-readable description of the health check.
@@ -88,7 +88,7 @@ resource "cloudflare_healthcheck" "tcp_health_check" {
 - `follow_redirects` (Boolean) Follow redirects if the origin returns a 3xx status code. Defaults to `false`.
 - `header` (Block Set) The HTTP request headers to send in the health check. It is recommended you set a Host header by default. The User-Agent header cannot be overridden. (see [below for nested schema](#nestedblock--header))
 - `interval` (Number) The interval between each health check. Shorter intervals may give quicker notifications if the origin status changes, but will increase the load on the origin as we check from multiple locations. Defaults to `60`.
-- `method` (String) The HTTP method to use for the health check. Available values: `"connection_established"`, `"GET"`, `"HEAD"`.
+- `method` (String) The HTTP method to use for the health check. Available values: `connection_established`, `GET`, `HEAD`.
 - `notification_email_addresses` (List of String, Deprecated) A list of email addresses we want to send the notifications to. Deprecated, use cloudflare_notification_policy instead.
 - `notification_suspended` (Boolean, Deprecated) Whether the notifications are suspended or not. Useful for maintenance periods. Defaults to `false`.
 - `path` (String) The endpoint path to health check against. Defaults to `/`.
diff --git a/docs/resources/ipsec_tunnel.md b/docs/resources/ipsec_tunnel.md
index 8ed08e8cad..61466d1d86 100644
--- a/docs/resources/ipsec_tunnel.md
+++ b/docs/resources/ipsec_tunnel.md
@@ -42,7 +42,7 @@ resource "cloudflare_ipsec_tunnel" "example" {
 - `fqdn_id` (String) `remote_id` in the form of a fqdn. This value is generated by cloudflare.
 - `health_check_enabled` (Boolean) Specifies if ICMP tunnel health checks are enabled. Default: `true`.
 - `health_check_target` (String) The IP address of the customer endpoint that will receive tunnel health checks. Default: `<customer_gre_endpoint>`.
-- `health_check_type` (String) Specifies the ICMP echo type for the health check (`request` or `reply`). Available values: `"request"`, `"reply"` Default: `reply`.
+- `health_check_type` (String) Specifies the ICMP echo type for the health check (`request` or `reply`). Available values: `request`, `reply` Default: `reply`.
 - `hex_id` (String) `remote_id` as a hex string. This value is generated by cloudflare.
 - `psk` (String, Sensitive) Pre shared key to be used with the IPsec tunnel. If left unset, it will be autogenerated.
 - `remote_id` (String) ID to be used while setting up the IPsec tunnel. This value is generated by cloudflare.
diff --git a/docs/resources/logpush_job.md b/docs/resources/logpush_job.md
index 61b0d0acea..0bb36fd348 100644
--- a/docs/resources/logpush_job.md
+++ b/docs/resources/logpush_job.md
@@ -109,7 +109,7 @@ resource "cloudflare_logpush_job" "example_job" {
 
 ### Required
 
-- `dataset` (String) Uniquely identifies a resource (such as an s3 bucket) where data will be pushed. Additional configuration parameters supported by the destination may be included. See [Logpush destination documentation](https://developers.cloudflare.com/logs/reference/logpush-api-configuration#destination). Available values: `"firewall_events"`, `"http_requests"`, `"spectrum_events"`, `"nel_reports"`, `"audit_logs"`, `"gateway_dns"`, `"gateway_http"`, `"gateway_network"`, `"dns_logs"`, `"network_analytics_logs"`.
+- `dataset` (String) Uniquely identifies a resource (such as an s3 bucket) where data will be pushed. Additional configuration parameters supported by the destination may be included. See [Logpush destination documentation](https://developers.cloudflare.com/logs/reference/logpush-api-configuration#destination). Available values: `firewall_events`, `http_requests`, `spectrum_events`, `nel_reports`, `audit_logs`, `gateway_dns`, `gateway_http`, `gateway_network`, `dns_logs`, `network_analytics_logs`.
 - `destination_conf` (String) Uniquely identifies a resource (such as an s3 bucket) where data will be pushed. Additional configuration parameters supported by the destination may be included. See [Logpush destination documentation](https://developers.cloudflare.com/logs/reference/logpush-api-configuration#destination).
 
 ### Optional
@@ -117,7 +117,7 @@ resource "cloudflare_logpush_job" "example_job" {
 - `account_id` (String) The account identifier to target for the resource.
 - `enabled` (Boolean) Whether to enable the job.
 - `filter` (String) Use filters to select the events to include and/or remove from your logs. For more information, refer to [Filters](https://developers.cloudflare.com/logs/reference/logpush-api-configuration/filters/).
-- `frequency` (String) A higher frequency will result in logs being pushed on faster with smaller files. `low` frequency will push logs less often with larger files. Available values: `"high"`, `"low"`. Defaults to `high`.
+- `frequency` (String) A higher frequency will result in logs being pushed on faster with smaller files. `low` frequency will push logs less often with larger files. Available values: `high`, `low`. Defaults to `high`.
 - `logpull_options` (String) Configuration string for the Logshare API. It specifies things like requested fields and timestamp formats. See [Logpull options documentation](https://developers.cloudflare.com/logs/logpush/logpush-configuration-api/understanding-logpush-api/#options).
 - `name` (String) The name of the logpush job to create. Must match the regular expression `^[a-zA-Z0-9\-\.]*$`.
 - `ownership_challenge` (String) Ownership challenge token to prove destination ownership, required when destination is Amazon S3, Google Cloud Storage, Microsoft Azure or Sumo Logic. See [Developer documentation](https://developers.cloudflare.com/logs/logpush/logpush-configuration-api/understanding-logpush-api/#usage).
diff --git a/docs/resources/ruleset.md b/docs/resources/ruleset.md
index 50afbc4858..d41427012d 100644
--- a/docs/resources/ruleset.md
+++ b/docs/resources/ruleset.md
@@ -36,9 +36,9 @@ have inconsistent operations and inadvertently disable rulesets.
 
 ### Required
 
-- `kind` (String) Type of Ruleset to create. Available values: `"custom"`, `"managed"`, `"root"`, `"schema"`, `"zone"`.
+- `kind` (String) Type of Ruleset to create. Available values: `custom`, `managed`, `root`, `schema`, `zone`.
 - `name` (String) Name of the ruleset.
-- `phase` (String) Point in the request/response lifecycle where the ruleset will be created. Available values: `"ddos_l4"`, `"ddos_l7"`, `"http_log_custom_fields"`, `"http_request_firewall_custom"`, `"http_request_firewall_managed"`, `"http_request_late_transform"`, `"http_request_main"`, `"http_request_sanitize"`, `"http_request_transform"`, `"http_request_origin"`, `"http_response_firewall_managed"`, `"http_response_headers_transform"`, `"magic_transit"`, `"http_ratelimit"`, `"http_request_sbfm"`.
+- `phase` (String) Point in the request/response lifecycle where the ruleset will be created. Available values: `ddos_l4`, `ddos_l7`, `http_log_custom_fields`, `http_request_firewall_custom`, `http_request_firewall_managed`, `http_request_late_transform`, `http_request_main`, `http_request_sanitize`, `http_request_transform`, `http_request_origin`, `http_response_firewall_managed`, `http_response_headers_transform`, `magic_transit`, `http_ratelimit`, `http_request_sbfm`.
 
 ### Optional
 
@@ -61,7 +61,7 @@ Required:
 
 Optional:
 
-- `action` (String) Action to perform in the ruleset rule. Available values: `"block"`, `"challenge"`, `"ddos_dynamic"`, `"execute"`, `"force_connection_close"`, `"js_challenge"`, `"managed_challenge"`, `"log"`, `"log_custom_field"`, `"rewrite"`, `"score"`, `"skip"`, `"route"`.
+- `action` (String) Action to perform in the ruleset rule. Available values: `block`, `challenge`, `ddos_dynamic`, `execute`, `force_connection_close`, `js_challenge`, `managed_challenge`, `log`, `log_custom_field`, `rewrite`, `score`, `skip`, `route`.
 - `action_parameters` (Block List, Max: 1) List of parameters that configure the behavior of the ruleset rule action. (see [below for nested schema](#nestedblock--rules--action_parameters))
 - `description` (String) Brief summary of the ruleset rule and its intended use.
 - `enabled` (Boolean) Whether the rule is active.
@@ -88,8 +88,8 @@ Optional:
 - `matched_data` (Block List, Max: 1) List of properties to configure WAF payload logging. (see [below for nested schema](#nestedblock--rules--action_parameters--matched_data))
 - `origin` (Block List, Max: 1) List of properties to change request origin. (see [below for nested schema](#nestedblock--rules--action_parameters--origin))
 - `overrides` (Block List, Max: 1) List of override configurations to apply to the ruleset. (see [below for nested schema](#nestedblock--rules--action_parameters--overrides))
-- `phases` (Set of String) Point in the request/response lifecycle where the ruleset will be created. Available values: `"ddos_l4"`, `"ddos_l7"`, `"http_log_custom_fields"`, `"http_request_firewall_custom"`, `"http_request_firewall_managed"`, `"http_request_late_transform"`, `"http_request_main"`, `"http_request_sanitize"`, `"http_request_transform"`, `"http_request_origin"`, `"http_response_firewall_managed"`, `"http_response_headers_transform"`, `"magic_transit"`, `"http_ratelimit"`, `"http_request_sbfm"`.
-- `products` (Set of String) Products to target with the actions. Available values: `"bic"`, `"hot"`, `"ratelimit"`, `"securityLevel"`, `"uablock"`, `"waf"`, `"zonelockdown"`.
+- `phases` (Set of String) Point in the request/response lifecycle where the ruleset will be created. Available values: `ddos_l4`, `ddos_l7`, `http_log_custom_fields`, `http_request_firewall_custom`, `http_request_firewall_managed`, `http_request_late_transform`, `http_request_main`, `http_request_sanitize`, `http_request_transform`, `http_request_origin`, `http_response_firewall_managed`, `http_response_headers_transform`, `magic_transit`, `http_ratelimit`, `http_request_sbfm`.
+- `products` (Set of String) Products to target with the actions. Available values: `bic`, `hot`, `ratelimit`, `securityLevel`, `uablock`, `waf`, `zonelockdown`.
 - `request_fields` (Set of String) List of request headers to include as part of custom fields logging, in lowercase.
 - `response` (Block List) List of parameters that configure the response given to end users. (see [below for nested schema](#nestedblock--rules--action_parameters--response))
 - `response_fields` (Set of String) List of response headers to include as part of custom fields logging, in lowercase.
@@ -106,7 +106,7 @@ Optional:
 
 - `expression` (String) Use a value dynamically determined by the Firewall Rules expression language based on Wireshark display filters. Refer to the [Firewall Rules language](https://developers.cloudflare.com/firewall/cf-firewall-language) documentation for all available fields, operators, and functions. Conflicts with `"value"`.
 - `name` (String) Name of the HTTP request header to target.
-- `operation` (String) Action to perform on the HTTP request header. Available values: `"remove"`, `"set"`.
+- `operation` (String) Action to perform on the HTTP request header. Available values: `remove`, `set`.
 - `value` (String) Static value to provide as the HTTP request header value. Conflicts with `"expression"`.
 
 
@@ -132,21 +132,21 @@ Optional:
 
 Optional:
 
-- `action` (String) Action to perform in the rule-level override. Available values: `"block"`, `"challenge"`, `"ddos_dynamic"`, `"execute"`, `"force_connection_close"`, `"js_challenge"`, `"managed_challenge"`, `"log"`, `"log_custom_field"`, `"rewrite"`, `"score"`, `"skip"`, `"route"`.
+- `action` (String) Action to perform in the rule-level override. Available values: `block`, `challenge`, `ddos_dynamic`, `execute`, `force_connection_close`, `js_challenge`, `managed_challenge`, `log`, `log_custom_field`, `rewrite`, `score`, `skip`, `route`.
 - `categories` (Block List) List of tag-based overrides. (see [below for nested schema](#nestedblock--rules--action_parameters--overrides--categories))
 - `enabled` (Boolean, Deprecated) Defines if the current ruleset-level override enables or disables the ruleset.
 - `rules` (Block List) List of rule-based overrides. (see [below for nested schema](#nestedblock--rules--action_parameters--overrides--rules))
-- `status` (String) Defines if the current ruleset-level override enables or disables the ruleset. Available values: `"enabled"`, `"disabled"`. Defaults to `""`.
+- `status` (String) Defines if the current ruleset-level override enables or disables the ruleset. Available values: `enabled`, `disabled`. Defaults to `""`.
 
 <a id="nestedblock--rules--action_parameters--overrides--categories"></a>
 ### Nested Schema for `rules.action_parameters.overrides.status`
 
 Optional:
 
-- `action` (String) Action to perform in the tag-level override. Available values: `"block"`, `"challenge"`, `"ddos_dynamic"`, `"execute"`, `"force_connection_close"`, `"js_challenge"`, `"managed_challenge"`, `"log"`, `"log_custom_field"`, `"rewrite"`, `"score"`, `"skip"`, `"route"`.
+- `action` (String) Action to perform in the tag-level override. Available values: `block`, `challenge`, `ddos_dynamic`, `execute`, `force_connection_close`, `js_challenge`, `managed_challenge`, `log`, `log_custom_field`, `rewrite`, `score`, `skip`, `route`.
 - `category` (String) Tag name to apply the ruleset rule override to.
 - `enabled` (Boolean, Deprecated) Defines if the current tag-level override enables or disables the ruleset rules with the specified tag.
-- `status` (String) Defines if the current tag-level override enables or disables the ruleset rules with the specified tag. Available values: `"enabled"`, `"disabled"`. Defaults to `""`.
+- `status` (String) Defines if the current tag-level override enables or disables the ruleset rules with the specified tag. Available values: `enabled`, `disabled`. Defaults to `""`.
 
 
 <a id="nestedblock--rules--action_parameters--overrides--rules"></a>
@@ -154,12 +154,12 @@ Optional:
 
 Optional:
 
-- `action` (String) Action to perform in the rule-level override. Available values: `"block"`, `"challenge"`, `"ddos_dynamic"`, `"execute"`, `"force_connection_close"`, `"js_challenge"`, `"managed_challenge"`, `"log"`, `"log_custom_field"`, `"rewrite"`, `"score"`, `"skip"`, `"route"`.
+- `action` (String) Action to perform in the rule-level override. Available values: `block`, `challenge`, `ddos_dynamic`, `execute`, `force_connection_close`, `js_challenge`, `managed_challenge`, `log`, `log_custom_field`, `rewrite`, `score`, `skip`, `route`.
 - `enabled` (Boolean, Deprecated) Defines if the current rule-level override enables or disables the rule.
 - `id` (String) Rule ID to apply the override to.
 - `score_threshold` (Number) Anomaly score threshold to apply in the ruleset rule override. Only applicable to modsecurity-based rulesets.
 - `sensitivity_level` (String) Sensitivity level for a ruleset rule override.
-- `status` (String) Defines if the current rule-level override enables or disables the rule. Available values: `"enabled"`, `"disabled"`. Defaults to `""`.
+- `status` (String) Defines if the current rule-level override enables or disables the rule. Available values: `enabled`, `disabled`. Defaults to `""`.
 
 
 
@@ -217,7 +217,7 @@ Optional:
 Optional:
 
 - `enabled` (Boolean, Deprecated) Override the default logging behavior when a rule is matched.
-- `status` (String) Override the default logging behavior when a rule is matched. Available values: `"enabled"`, `"disabled"`. Defaults to `""`.
+- `status` (String) Override the default logging behavior when a rule is matched. Available values: `enabled`, `disabled`. Defaults to `""`.
 
 
 <a id="nestedblock--rules--ratelimit"></a>
diff --git a/docs/resources/waiting_room.md b/docs/resources/waiting_room.md
index bbf6c125d2..a70e124f0d 100644
--- a/docs/resources/waiting_room.md
+++ b/docs/resources/waiting_room.md
@@ -36,7 +36,7 @@ resource "cloudflare_waiting_room" "example" {
 ### Optional
 
 - `custom_page_html` (String) This is a templated html file that will be rendered at the edge.
-- `default_template_language` (String) The language to use for the default waiting room page. Available values: `"de-DE"`, `"es-ES"`, `"en-US"`, `"fr-FR"`, `"id-ID"`, `"it-IT"`, `"ja-JP"`, `"ko-KR"`, `"nl-NL"`, `"pl-PL"`, `"pt-BR"`, `"tr-TR"`, `"zh-CN"`, `"zh-TW"`. Defaults to `en-US`.
+- `default_template_language` (String) The language to use for the default waiting room page. Available values: `de-DE`, `es-ES`, `en-US`, `fr-FR`, `id-ID`, `it-IT`, `ja-JP`, `ko-KR`, `nl-NL`, `pl-PL`, `pt-BR`, `tr-TR`, `zh-CN`, `zh-TW`. Defaults to `en-US`.
 - `description` (String) A description to add more details about the waiting room.
 - `disable_session_renewal` (Boolean) Disables automatic renewal of session cookies.
 - `json_response_enabled` (Boolean) If true, requests to the waiting room with the header `Accept: application/json` will receive a JSON response object.
diff --git a/docs/resources/waiting_room_event.md b/docs/resources/waiting_room_event.md
index 07bd45dc08..25336c1f26 100644
--- a/docs/resources/waiting_room_event.md
+++ b/docs/resources/waiting_room_event.md
@@ -39,7 +39,7 @@ resource "cloudflare_waiting_room_event" "example" {
 - `disable_session_renewal` (Boolean) Disables automatic renewal of session cookies.
 - `new_users_per_minute` (Number) The number of new users that will be let into the route every minute.
 - `prequeue_start_time` (String) ISO 8601 timestamp that marks when to begin queueing all users before the event starts. Must occur at least 5 minutes before `event_start_time`.
-- `queueing_method` (String) The queueing method used by the waiting room. Available values: `"fifo"`, `"random"`, `"passthrough"`, `"reject"`.
+- `queueing_method` (String) The queueing method used by the waiting room. Available values: `fifo`, `random`, `passthrough`, `reject`.
 - `session_duration` (Number) Lifetime of a cookie (in minutes) set by Cloudflare for users who get access to the origin.
 - `shuffle_at_event_start` (Boolean) Users in the prequeue will be shuffled randomly at the `event_start_time`. Requires that `prequeue_start_time` is not null. Defaults to `false`.
 - `suspended` (Boolean) If suspended, the event is ignored and traffic will be handled based on the waiting room configuration.
diff --git a/internal/provider/resource_cloudflare_access_identity_provider.go b/internal/provider/resource_cloudflare_access_identity_provider.go
index 301094cd1a..a841a80978 100644
--- a/internal/provider/resource_cloudflare_access_identity_provider.go
+++ b/internal/provider/resource_cloudflare_access_identity_provider.go
@@ -208,6 +208,7 @@ func convertSchemaToStruct(d *schema.ResourceData) (cloudflare.AccessIdentityPro
 		IDPConfig.SsoTargetURL = d.Get("config.0.sso_target_url").(string)
 		IDPConfig.SupportGroups = d.Get("config.0.support_groups").(bool)
 		IDPConfig.TokenURL = d.Get("config.0.token_url").(string)
+		IDPConfig.PKCEEnabled = cloudflare.BoolPtr(d.Get("config.0.pkce_enabled").(bool))
 	}
 
 	return IDPConfig, nil
@@ -244,6 +245,7 @@ func convertStructToSchema(d *schema.ResourceData, options cloudflare.AccessIden
 		"sso_target_url":       options.SsoTargetURL,
 		"support_groups":       options.SupportGroups,
 		"token_url":            options.TokenURL,
+		"pkce_enabled":         options.PKCEEnabled,
 	}
 
 	return []interface{}{m}
diff --git a/internal/provider/schema_cloudflare_access_identity_provider.go b/internal/provider/schema_cloudflare_access_identity_provider.go
index a2c534fd61..6cc91250f2 100644
--- a/internal/provider/schema_cloudflare_access_identity_provider.go
+++ b/internal/provider/schema_cloudflare_access_identity_provider.go
@@ -137,6 +137,10 @@ func resourceCloudflareAccessIdentityProviderSchema() map[string]*schema.Schema
 						Type:     schema.TypeString,
 						Optional: true,
 					},
+					"pkce_enabled": {
+						Type:     schema.TypeBool,
+						Optional: true,
+					},
 				},
 			},
 		},
diff --git a/internal/provider/utils.go b/internal/provider/utils.go
index 3e26502cfd..740fe27cb1 100644
--- a/internal/provider/utils.go
+++ b/internal/provider/utils.go
@@ -245,7 +245,7 @@ func renderAvailableDocumentationValuesStringSlice(s []string) string {
 	if s != nil && len(s) > 0 {
 		values := make([]string, len(s))
 		for i, c := range s {
-			values[i] = fmt.Sprintf("`\"%s\"`", c)
+			values[i] = fmt.Sprintf("`%s`", c)
 		}
 		output = fmt.Sprintf("Available values: %s", strings.Join(values, ", "))
 	}