Twitch Connect confusion

Hello again,

So I’m progressing and managed to retrieve claims using said flow, (still encrypted). I’d like to do it the proper way and I’m concerned with security and authenticity.

I understood “state” parameter purpose.

In your example, you don’t seem to use nonce. Is it “optional” ? I can’t exactly how in the usage is it different from state. (which seems to be : Generating a random TOKEN-A and checking at some point of the process that returned value equals TOKEN-A)

I’m also curious to why we use a post request on an uri that contains query parameters ?