Below are key recommendations and requirements to follow when working with authentication tokens and sensitive data:

Always use HTTPS
All API requests must be made over secure HTTPS connections. Requests sent over plain HTTP will be rejected.
Protect your tokens
Access tokens and refresh tokens should be treated as secrets. Do not expose them in URLs, logs, or client-side code. Always store them securely on the server or within secure local storage when applicable.
Use secure storage
Avoid storing sensitive credentials or tokens in plaintext. Use encrypted storage or secure token vaults in production environments.
Respect token scopes and expirations
Access tokens are short-lived. Make sure to monitor expiration times and refresh them using the appropriate endpoints. Avoid reusing expired tokens.
Enable and respect CORS policies
For browser-based applications or if you embed secure content (e.g., via WebView or iframe), ensure that the domain is allowed via CORS and that your implementation respects cross-origin constraints.
Never share secret credentials
Keep your API credentials, signing keys, and client secrets private. Do not include them in mobile apps or expose them to users.

Following these security practices helps protect both your users and your infrastructure from unauthorized access and data leaks.