Stitch takes the security and privacy of both its clients and end users seriously. However, certain mitigations require participation from integrating parties for these mitigating measures to be effective.
Please review the following list of security recommendations before you start integration, and again before the release of your application.
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in RFC 2119.
- It is RECOMMENDED that Refresh and Access Tokens be stored in encrypted format at rest if stored on the server side.
- If a token breach is detected, Stitch SHOULD be immediately contacted so that affected tokens can be revoked.
- The number of employees with access to tokens SHOULD be minimized.
- Scopes SHOULD only be requested if needed. This limits the potential for abuse should a breach remain undetected.
- Redirect URIs MUST be present and MUST be protected by SSL and HSTS to prevent Man in the Middle Attacks.
code_verifierMUST be regenerated for each authorization request.
code_challengeMUST be between 43 and 128 characters in length.
code_verifierMUST be between 43 and 128 characters in length.
code_verifierMUST only contain the characters
0-9, and the punctuation characters
-._~(hyphen, period, underscore, and tilde).
- The unique, cryptographically secure, random
stateparameters MUST be used for each request.
nonceparameter MUST be between 32 and 300 characters in length.
stateparameter MUST be between 32 and 300 characters in length.