Launch offer: 50% off.Paid plans only.See pricing
Skip to content
Lamba
Open menu
Get started

Documentation

Reference

OAuth/OIDC Security

PKCE, redirect URI matching, token validation, and session hardening checklist.

Baseline requirements

  • Authorization Code flow only (response_type=code).
  • Public clients require PKCE.
  • Redirect URIs must match registered values exactly.
  • Refresh token usage must stay scoped to active sessions.

Redirect URI policy

  • No wildcard redirects.
  • No dynamic callback hosts.
  • Separate clients per environment and application surface.

Token validation checklist

Validate at minimum:

  • iss equals expected issuer
  • aud contains expected client ID
  • exp is in the future
  • nbf is in the past (with bounded skew)
  • nonce matches session for browser flows

JWKS handling

  • Cache keys by kid.
  • Refresh when unknown kid appears.
  • Fail closed on signature mismatch.

Session hardening

  • Rotate refresh tokens.
  • Revoke on membership or security changes.
  • Keep auth cookies httpOnly, secure, sameSite=lax.

Deployment model

  • Keep sandbox and production clients separate.
  • Keep issuer and callback values environment-specific.
  • Validate integration with a full login and refresh smoke test before release.