Your Lucca account contains sensitive date which you wouldn’t want leaked.
Create a new client application for each integration scenario
Fewer scopes is better
Request a new access token for each new exchange
Do not share, commit and/or publish the `client_secret`
Verify webhook-events signatures