Security

• Never embed credentials/secrets in distributed binaries or client code
• Keep refresh tokens and client secrets server‑side only
• One product per registered application
• Use a clear and contactable User-Agent