AntiPattern

SameSite/Token Scope Drift

same-site-token-scope-drift

Cookie-based state tokens get serialized and signed correctly, but browser SameSite/credential scope blocks them from being sent on cross-site navigations, so redirect-based flows fail; developers then misattribute the break to token formatting instead of transport rules.