Least-Privilege Scopes
Request only the scopes required (e.g., identify, guilds). Avoid overbroad access. For App Installs, limit permissions to what your features need.
PKCE and State
Use PKCE for public clients and always include a high-entropy state to prevent CSRF. Validate state on callback.
Token Storage
Store tokens server-side, encrypt at rest, and set short lifetimes. Never expose tokens to the browser; exchange code on the server and use HttpOnly cookies for sessions.
Rotate and Revoke
Regularly rotate client secrets and revoke tokens on suspicious activity. Log consented scopes and audit usage.
Callback Hygiene
Allowlist redirect URIs exactly. Enforce HTTPS and HSTS. Reject unknown origins and mismatched hostnames.