Is the presence of the id_token in the URL a security risk?

We recently had a potential customer tell us that they view the presence of the id_token within the URL during parts of the auth flow as a security risk.

We would like to alleviate the customer’s concerns but would not like to switch to using post_data as the response mode.

What specifics can we tell the customer about how Auth0 prevents this from being a security risk?

Thank you,
Julius

Hi @julius,

Welcome to the Auth0 Community!

Can you please tell us more about your setup? I can reach out to the team, and would like some specific details about how you have set up your flow.