sandroYeah, I like that, but the sender still needs to do more than seems necessary. You could let this play out by offering both: post either with code= or access_token= & token_type & expires_in, as you like. code= for the more paranoid about their content. See how often that's actually done.
