AntiPattern
SameSite/Token Scope Drift
same-site-token-scope-drift
Cookie-based state tokens get serialized and signed correctly, but browser SameSite/credential scope blocks them from being sent on cross-site navigations, so redirect-based flows fail; developers then misattribute the break to token formatting instead of transport rules.