1

Create a new client application for each integration scenario

In order to reduce the depth and breadth of scopes given the each client application.
2

Fewer scopes is better

Only give the bare minimum scopes needed to your client application.Similarly, only request the subset of scopes needed to achieve what you want when requesting an access_token. In any case, there’s a limit to the number of scopes (max: 4,000 characters) that can be granted to a single access_token and you will get an error if you attempt to exceed it.
3

Request a new access token for each new exchange

Divide your integration scenario into atomic flows, and generate an access_token for each one. This makes it possible to give a very restricted set of oauth scopes to each access_token.The Lucca API imposes a short lifetime to all access_tokens in order to encourage such behavior.
4

Do not share, commit and/or publish the `client_secret`

Make them environment variables. Never commit or push them to your repository.If you do, then revoke them via the “client application” administration interface.
5

Verify webhook-events signatures

Make sure your webhook endpoint that receives events verifies their signature.