Public clients cannot protect long-lived secrets. Rotation and reuse detection are non-negotiable.
Core Controls
- PKCE for authorization code flow.
- Short-lived access tokens.
- One-time-use refresh tokens.
{
"access_token_ttl": 900,
"refresh_rotation": true,
"reuse_detection": true
}Design the token lifecycle assuming compromise, not best behavior.