After -27 was posted, which addressed my SecDir review comments, I re-reviewed.

The only remaining bug I found is typographical.  In 4.2.1, the underscore is missing from access_token in "(and potentially access token)".  This is true in both the .txt and .html renderings.