Should the callback URI point to my global game server which manages basically everything?
But how would the server know which client to trust judging by that API key it's given?
Or should the callback URI point back to the client?
Although this might be insecure as well.