Skip to main content
Version: v2.0 (latest)

Best-Practice Checklist

Run your integration through this checklist before going live.

  • Read endpoints from the discovery document; do not hardcode them.
  • Use signed authorization requests (JAR), and ask for your client to require them in production.
  • Add PAR on top of signing for high-security deployments.
  • Always use PKCE S256 (mandatory for public clients).
  • Use the _only scope form (see Scopes) and pick the verification level deliberately: Dynamic for high assurance, Express for speed.
  • Send a stable login_hint per user (see login_hint) — never alternate identifiers for the same person.
  • If trust on first use is unacceptable, pre-provision profiles via the user-management API; delete profiles when users leave.
  • Validate the ID token properly: signature against jwks_uri, plus iss, aud, exp, and nonce.
  • Verify state on every redirect.
  • Enforce your required acr (see Reading the Result); do not just trust that a token was issued. Do not correlate users by sub — it changes every session.
  • Prefer private_key_jwt or mTLS over shared secrets for confidential clients.
  • Consider DPoP or mTLS-bound tokens for sensitive APIs.
  • Decide your retry and lockout policy for failed verifications.