Just taking a peek at your docs. Looks like you're using implicit flow grant type from the OAuth 2.0 spec, is that right?

Judging by the request/response payloads, I couldn't see evidence of authorization code exchange, nor PKCE (lack of code challenge/code verifier values in the payloads). It looks like an access token is immediately issued upon verifying an OTP via a post request.

Can you confirm what standards you are using for authorization and authentication?

I have to admit that I'm not as up to speed as I would like with passwordless implementations, so maybe I'm getting the wrong end of the stick here (if so, I apologise, but hopefully you can understand our concern!). It's a little disconcerting that we can't find any information related to what standards you are employing to actually secure our applications whereas other services (even right here on AppSumo) are much more transparent. It would be great if you could point me to the relevant resource/section of the docs, or any information you can reply with would be greatly appreciated!

Thanks,
J