Use a backend server
Your token request MUST occur on a backend server; implicit grant types are not supported. Do not provide the client secret to unsecured environments such as web clients.

Validate parameters
Be sure to validate all query parameters received via the Redirect URI.

State field
Your implementation should also make use of the State field to protect against cross-site request forgeries.

Limited scopes
Only request the scopes which you actually intend to use for your integration.

Token storage
Be sure to store tokens in a secure manner, especially refresh tokens which grant long-term access to resources.