code_challengeis the hashed version of your
code_verifier. We will send this hash on step 2 when you're requesting an authentication from Cotter.
code_challengeis sent first so that later in step 3, Cotter's server can verify that
hash(code_verifier)is the same as
code_challengeand that you are indeed made the original request.
abcXYZ456). This is not the same as your
code_verifier. You need to check if the
stateincluded by Cotter in the
redirect_urlis the same as the initial
statethat you set to make sure the request is for you. Learn more about state.
redirect_urlthat you specified in step 2.
tokensand the user's email or phone number from Cotter's server.
API_KEY_IDis exposed to anyone inspecting your code. Here are some ways to prevent abuse:
state=XYZin the beginning of the auth flow. You should expect that Cotter's response on Step 2 when Cotter redirect back to your
redirect_url, the state is the same (
state == XYZ). This makes sure that the redirect was in response to your initial authentication request.