# Finalise operation
| || ||Signicat's server sends an authorisation code (including other information) by redirecting the customer's app to the |
The customer's backend then needs to verify that it was the client who initiated the authentication process, by using the data it received from Signicat's server (especially comparing the state information)
| || ||Authorisation code is exchanged for access token|
| || |
| || ||The customer's server (as specified in the |
The most important attribute is the
The SAML response will need to be verified.