> ## Documentation Index > Fetch the complete documentation index at: https://auth0-actions-triggers-prototype.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. > Learn how to securely generate and validate a cryptographic nonce for use with the Implicit Flow with Form Post. # Mitigate Replay Attacks When Using the Implicit Flow To mitigate replay attacks when using the [Implicit Flow with Form Post](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post), a nonce must be sent on authentication requests [as required by the OpenID Connect (OIDC) specification](https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest). The nonce is generated by the application, sent as a `nonce` query string parameter in the authentication request, and included in the ID Token response from Auth0. This allows applications to correlate the ID Token response from Auth0 with the initial authentication request. To learn more about where to include the nonce, see [Add Login Using the Implicit Flow with Form Post](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post/add-login-using-the-implicit-flow-with-form-post). [Auth0.js](/docs/libraries/auth0js) manages `state` and `nonce` parameters for you when using [cross-origin authentication](/docs/authenticate/login/cross-origin-authentication). ## Generate a cryptographically random nonce One way to generate a cryptographically random nonce is to use a tool like [Nano ID](https://github.com/ai/nanoid) or similar. This does require you to bundle the tool with your JavaScript code, however. If that's not possible, you can take advantage of the fact that [modern browsers](http://caniuse.com/#feat=cryptography) can use the [Web Crypto API](https://www.w3.org/TR/WebCryptoAPI/) to generate cryptographically secure random strings for use as nonces. ```javascript lines theme={null} function randomString(length) { var charset = '0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvwxyz+/' result = '' while (length > 0) { var bytes = new Uint8Array(16); var random = window.crypto.getRandomValues(bytes); random.forEach(function(c) { if (length == 0) { return; } if (c < charset.length) { result += charset[c]; length--; } }); } return result; } ``` ## Persist nonces across requests The generated nonce must be persisted in your web application using any of the following methods: * `HttpOnly` session cookie * HTML5 local storage value For example: ```js lines theme={null} window.localStorage.setItem('nonce', randomString(16)); ``` ## Validate ID token Once Auth0 responds with an [ID Token](/docs/secure/tokens/id-tokens), this token must be [validated and decoded](/docs/secure/tokens/id-tokens/validate-id-tokens) as usual. Its `nonce` claim must contain the exact same value that was sent in the request. If not, authentication should be rejected by the application. ```javascript lines theme={null} var jwt = '...'; // validated and decoded ID Token body if (jwt.nonce === window.localStorage.getItem('nonce')) { // Nonce is OK } else { // Nonce is not OK! Token replay attack might be underway } ``` ## Learn more * [Implicit Flow with Form Post](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post) * [Add Login Using the Implicit Flow with Form Post](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post/add-login-using-the-implicit-flow-with-form-post) * [Implicit Flow with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-implicit-flow)