DeadArk Integration Security Checklist
A practical security checklist for integrating Sign in with DeadArk: PKCE, state, redirect URIs, server-side exchange, scopes, and safe identity storage.
- Always use Authorization Code with PKCE and verify the state parameter.
- Match redirect URIs exactly and perform the token exchange server-side only.
- Request minimal scopes and store the portable profile ID, not sensitive data.
- Validate tokens, handle revocation, and never log secrets or tokens.
How to use this checklist
These are the security requirements for a sound Sign in with DeadArk integration. Most map directly to doing the standard OAuth 2.1 flow correctly — the failures come from skipping steps, not from exotic attacks. Treat each item as a gate before you ship.
Authorization flow
- Use Authorization Code with PKCE. Always generate a fresh
code_verifier/code_challengeper request and usecode_challenge_method=S256. Never use the implicit flow. - Verify `state`. Generate a random, per-request
state, store it in the session, and reject any callback whosestatedoes not match. This is your CSRF protection. - Match redirect URIs exactly. Register precise redirect URIs and rely on exact matching. Do not use wildcards or build redirect targets from untrusted input.
Token handling
- Exchange the code server-side. The token exchange and any client secret must live on your server, never in the browser.
- Validate tokens. For OIDC ID tokens, validate the signature, issuer, audience, and expiry before trusting any claim.
- Store tokens securely. Keep tokens server-side, scoped to the session; never expose them to client-side code that does not need them.
- Handle expiry and revocation. Refresh appropriately and stop honoring sessions when tokens are revoked or the user signs out.
Scopes and data
- Request minimal scopes. Ask only for what your app needs. Over-scoping is a liability you gain nothing from.
- Store the portable profile ID as the user key. Key account records on the stable profile identifier; do not depend on mutable display data, and do not expect a private account UUID.
- Minimize what you persist. Store the identity link and what you genuinely need — not a copy of everything userinfo returns.
Operational hygiene
- Never log secrets or tokens. Keep
code,code_verifier, access tokens, and any client secret out of logs and error reports. - Protect your client credentials. Store any secret in a secret manager, rotate it if exposed, and keep it out of source control.
- Use HTTPS everywhere. Every redirect URI and endpoint your flow touches must be TLS-protected.
- Fail closed. On any verification failure — bad
state, invalid token, mismatched redirect — reject the sign-in rather than degrading to a weaker path.
The short version
Do the standard flow correctly: PKCE, verified state, exact redirect URIs, server-side exchange, validated tokens, minimal scopes, and the portable profile ID as your user key — and never log secrets.
Frequently asked questions
What is the most important step in securing a DeadArk integration?
Use the Authorization Code flow with PKCE and verify the state parameter, while performing the token exchange server-side. Most integration vulnerabilities come from skipping these basics.
How many scopes should I request?
The minimum your app needs. Over-scoping increases liability without benefit. Request basic profile access and add scopes only when a feature genuinely requires them.
What user data should I store?
Store the portable profile ID as your user key plus the minimum you genuinely need. Do not key on mutable display data, do not expect a private account UUID, and never log tokens or secrets.
More in Developers
A portable profile ID is the stable identifier your app uses to recognize a DeadArk user across sessions and apps — without ever touching their private account.
How OAuth 2.1, PKCE, and passkeys fit together to give your app phishing-resistant login — and why this combination closes the gaps older flows left open.
A step-by-step guide to adding Sign in with DeadArk to your app: register a client, run the PKCE flow, exchange the code, and read profile claims.
DeadArk is a local social network for people, communities, businesses, projects, publications, and institutions to connect through shared interests and place. Learn more at deadark.com.