How to validate OpenAI calling /token for actions

I’m a bit confused as to what’s supposed to happen in the step during oauth after redirecting to the callback.

So openAI calls /token, and expects me to return the accesstoken and so on. But I also want the state again here, so I can give it back the token that matches the state. Otherwise anyyone can just POST /token and grab an access token. What am I missing?

OpenAI will call /token with client_id and client_secret, which you’ll need to store and match on your backend. This prevents request forgery, because you (the developer) have privately shared those values with OpenAI. See the OAuth docs for more :slight_smile: