Security Considerations
To ensure your client integration is secure, we recommend the following:
- Client should resolve authorization code and exchange tokens at the backend; backend systems must not assume tokens received from the client are valid without validating them—including their intended audience and nonce.
- Client should validate the state, nonce and audience parameters received in responses per their availability to the client.