I’m trying to understand how to use nonce. According to the (documentation)[ Mitigate Replay Attacks When Using the Implicit Flow ], nonce is used to prevent replay attacks. But all of the documentation talks to, and the example so, that the SPA is what is being protected. SPA’s do not service requ…

SPA's don't do authentication (replay attacks)

Topic		Replies	Views
Why use state, or even nonce? Get Help	2	5824	April 2, 2018
State vs nonce in auth0-js Get Help auth0js , csrf	5	15134	August 30, 2019
Is Nonce requried for the Authoziation Code flow Get Help oidc , protocols	2	2839	July 20, 2023
Are nonce and state automatically verified? Get Help	1	3537	April 23, 2020
Where should the 'state' nonce be generated and checked? Get Help authorization-code-f , state	2	10020	July 25, 2019