From 905165ffd3750f6d219a4b1b1347698c9bd1601b Mon Sep 17 00:00:00 2001
From: Hugh Nimmo-Smith <hughns@users.noreply.github.com>
Date: Thu, 14 May 2026 09:20:43 +0100
Subject: [PATCH] Link to RFC 9700 OAuth 2.0 Best Current Practices (#2379)

---
 changelogs/client_server/newsfragments/2379.clarification | 1 +
 content/client-server-api/_index.md                       | 3 +++
 2 files changed, 4 insertions(+)
 create mode 100644 changelogs/client_server/newsfragments/2379.clarification

diff --git a/changelogs/client_server/newsfragments/2379.clarification b/changelogs/client_server/newsfragments/2379.clarification
new file mode 100644
index 00000000..5a51936a
--- /dev/null
+++ b/changelogs/client_server/newsfragments/2379.clarification
@@ -0,0 +1 @@
+Add link to RFC 9700 OAuth 2.0 Best Current Practices.
diff --git a/content/client-server-api/_index.md b/content/client-server-api/_index.md
index 61cdf91c..4cdb84ac 100644
--- a/content/client-server-api/_index.md
+++ b/content/client-server-api/_index.md
@@ -1742,6 +1742,9 @@ over the requirements to create a new account and is not limited by the steps
 defined in this specification. It also means that less trust is given to clients
 because they don't have access to the user's credentials anymore.
 
+The best practices from [RFC 9700](https://datatracker.ietf.org/doc/html/rfc9700)
+are applicable to this API and are recommended reading for implementors.
+
 {{% boxes/warning %}}
 The [User-Interactive Authentication API](#user-interactive-authentication-api)
 is not compatible with the OAuth 2.0 API, so the endpoints that depend on it for