**Clarify wording to emphasize data minimization, and move to top of paragraph. This paragraph now lists a set of app requirements/recommendations pertaining to the creation of an authorization request and handling of the authorization response.   Update:   The app SHALL use an unpredictable value for the state parameter with at least 122 bits of entropy (e.g., a properly configured random uuid is suitable). The app SHALL validate the value of the state parameter upon return to the redirect URL and SHALL ensure that the state value is securely tied to the user’s current session (e.g., by relating the state value to a session identifier issued by the app). The app SHOULD limit the grants, scope, and period of time requested to the minimum necessary.   To read:   The app SHOULD limit its requested scopes to the minimum necessary (i.e., minimizing the requested data categories and the requested duration of access). The app SHALL validate the value of the state parameter upon return to the redirect URL and SHALL ensure that the state value is securely tied to the user’s current session (e.g., by relating the state value to a session identifier issued by the app).   (Note that per https://jira.hl7.org/browse/FHIR-32212 , the entropy requirements are moved into the table above).