#[dmitshur]I'm interested in knowing how you tell the two requests apart. One viable way seems to be to check if there's a "code" parameter, which must be present in the Authorization Code Verification request, but you can arrange for it to not be in your "Accept" button press.