I'm having the exact same security problem, that my app can't figure out if a given OAuth key was issued for my app and not for evil one. I'm working on an online tool which works with sensitive data (API keys), and I'd like to use itch.io OAuth authentication instead of inventing my own, but it's not secure in its current condition. As I understand, adding a field like
issuer: { client_id: "ABCDEF" }to /me API response would fully solve this problem. Would it be possible to fix please? @leafo