Technical details: how we keep your information secure
Authentication: Optional Discord login (OAuth 2.0 Authorization Code + PKCE); the token exchange is completed server-side so the client secret never reaches the browser.
No secrets in the browser: We use PKCE; the code_verifier never leaves your device, and only a minimal Discord session (id, username, avatar) is stored locally.
API writes: match submissions are authenticated with a per-client HMAC signature and are rate-limited; logging in is not required to submit.
Data storage: Player ratings & matches in DynamoDB; read-only leaderboard is public.