It is mentioned that [t]he web adapters are ready with batteries-included to handle OAuth and EventSub via webhooks[0]. While supporting webhooks strongly suggests the adapter is secure enough to be public facing, the same is not as clear for the OAuth functionality. The examples in the docs of using the adapters to handle oauth are restricted to a "localhost" scenario, where you have control over incoming requests. So, it'd be good if it were stated more clearly what the feature was designed for.