#[fluffy]so, interesting wrinkle… Authl by default stashes the state data in the state value itself. Which means if someone’s savvy to that and notices that Authl is using an itsdangerous signed session cookie thing for that storage, they’d be able to extract the verifier out of it.