# Security Best Practices

1. **Server-side Validation**
   * Always validate `redirect_uri` server-side against a whitelist
   * Verify the `state` parameter matches the original request
2. **Authorization Flow**
   * Use authorization code flow (`response_type=code`)
   * Avoid implicit flow (`response_type=token`)
   * Implement PKCE when possible
3. **Token Management**
   * Store tokens securely
   * Refresh tokens before expiration
   * Validate scope parameters for each application
4. **Request Security**
   * Use HTTPS for all API calls
   * Include proper headers and origins
   * Handle errors and token expiration gracefully