This paper describes aspects of the security of OAuth and OpenID Connect in the context of hypermedia. It shows how some security measures of these protocols are different when using the API.
It explains various methods by which the provenance of a client is attested to, comparing the technique used with the API to that of a typical browser-based interaction. Once the source of a client can be reliably known, authentication and user consent interactions with the API can be adapted. In making these points, the terms first- and third-party applications are defined, an in-depth overview of DPoP is also provided, and the paper outlines how to use modern execution environments to perform application attestation.