diff --git a/README.md b/README.md
index 4589d9e82..f58046173 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 # oidc-provider
 
-oidc-provider is an OAuth 2.0 Authorization Server with [OpenID Connect][openid-connect] and many
-additional features and standards implemented.
+oidc-provider is an OAuth 2.0 Authorization Server with support for [OpenID Connect][openid-connect] (`OIDC`) and many
+other additional features and standards.
 
 **Table of Contents**
 
@@ -13,30 +13,31 @@ additional features and standards implemented.
 
 ## Implemented specs & features
 
-The following specifications are implemented by oidc-provider:
+The following specifications are implemented by oidc-provider (not exhaustive):
 
 _Note that not all features are enabled by default, check the configuration section on how to enable them._
 
-- [RFC6749 - OAuth 2.0][oauth2] & [OpenID Connect Core 1.0][core]
-- [OpenID Connect Discovery 1.0][discovery]
-- [OpenID Connect Dynamic Client Registration 1.0][registration] and [RFC7591 - OAuth 2.0 Dynamic Client Registration Protocol][oauth2-registration]
-- [OpenID Connect RP-Initiated Logout 1.0][rpinitiated-logout]
-- [OpenID Connect Back-Channel Logout 1.0][backchannel-logout]
-- [OAuth 2.0 Form Post Response Mode][form-post]
-- [RFC7009 - OAuth 2.0 Token Revocation][revocation]
-- [RFC7592 - OAuth 2.0 Dynamic Client Registration Management Protocol][registration-management]
-- [RFC7636 - Proof Key for Code Exchange (PKCE)][pkce]
-- [RFC7662 - OAuth 2.0 Token Introspection][introspection]
-- [RFC8252 - OAuth 2.0 for Native Apps BCP (AppAuth)][oauth-native-apps]
-- [RFC8628 - OAuth 2.0 Device Authorization Grant (Device Flow)][device-flow]
-- [RFC8705 - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (MTLS)][mtls]
-- [RFC8707 - OAuth 2.0 Resource Indicators][resource-indicators]
-- [RFC9101 - OAuth 2.0 JWT-Secured Authorization Request (JAR)][jar]
-- [RFC9126 - OAuth 2.0 Pushed Authorization Requests (PAR)][par]
-- [RFC9207 - OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response][iss-auth-resp]
-- [Financial-grade API Security Profile 1.0 - Part 2: Advanced (FAPI)][fapi]
-- [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)][jarm]
-- [OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0 (CIBA)][ciba]
+- [`RFC6749` - OAuth 2.0][oauth2] & [OIDC `Core 1.0`][core]
+- [OIDC `Discovery 1.0`][discovery]
+- Dynamic Client Registration
+  - [OIDC `Dynamic Client Registration 1.0`][registration]
+  - [`RFC7591` - OAuth 2.0 Dynamic Client Registration Protocol][oauth2-registration]
+  - [`RFC7592` - OAuth 2.0 Dynamic Client Registration Management Protocol][registration-management]
+- [OIDC `RP-Initiated Logout 1.0`][rpinitiated-logout]
+- [OIDC `Back-Channel Logout 1.0`][backchannel-logout]
+- [`RFC7009` - OAuth 2.0 Token Revocation][revocation]
+- [`RFC7636` - Proof Key for Code Exchange (`PKCE`)][pkce]
+- [`RFC7662` - OAuth 2.0 Token Introspection][introspection]
+- [`RFC8252` - OAuth 2.0 for Native Apps BCP (`AppAuth`)][oauth-native-apps]
+- [`RFC8628` - OAuth 2.0 Device Authorization Grant (`Device Flow`)][device-flow]
+- [`RFC8705` - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (`MTLS`)][mtls]
+- [`RFC8707` - OAuth 2.0 Resource Indicators][resource-indicators]
+- [`RFC9101` - OAuth 2.0 JWT-Secured Authorization Request (`JAR`)][jar]
+- [`RFC9126` - OAuth 2.0 Pushed Authorization Requests (`PAR`)][par]
+- [`RFC9207` - OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response][iss-auth-resp]
+- [Financial-grade API Security Profile 1.0 - Part 2: Advanced (`FAPI 1.0`)][fapi]
+- [JWT Secured Authorization Response Mode for OAuth 2.0 (`JARM`)][jarm]
+- [OIDC Client Initiated Backchannel Authentication Flow (`CIBA`)][ciba]
 
 Supported Access Token formats:
 
@@ -46,8 +47,8 @@ Supported Access Token formats:
 The following draft specifications are implemented by oidc-provider:
 
 - [JWT Response for OAuth Token Introspection - draft 10][jwt-introspection]
-- [Financial-grade API: Client Initiated Backchannel Authentication Profile (FAPI-CIBA) - Implementer's Draft 01][fapi-ciba]
-- [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 11][dpop]
+- [Financial-grade API: Client Initiated Backchannel Authentication Profile (`FAPI-CIBA`) - Implementer's Draft 01][fapi-ciba]
+- [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`) - draft 11][dpop]
 
 Updates to draft specification versions are released as MINOR library versions,
 if you utilize these specification implementations consider using the tilde `~` operator in your
@@ -58,7 +59,7 @@ your CI.
 ## Certification
 [<img width="184" height="96" align="right" src="https://cdn.jsdelivr.net/gh/panva/node-oidc-provider@acd3ebf2f5ebbb5605463cb681a1fb2ab9742ace/OpenID_Certified.png" alt="OpenID Certification">][openid-certified-link]  
 Filip Skokan has [certified][openid-certified-link] that [oidc-provider][npm-url]
-conforms to the following profiles of the OpenID Connect™ protocol
+conforms to the following profiles of the OpenID Connect™ protocol.
 
 - Basic, Implicit, Hybrid, Config, Dynamic, Form Post, and 3rd Party-Init OP profiles
 - Back-Channel Logout and RP-Initiated Logout
@@ -99,7 +100,7 @@ oidc.listen(3000, () => {
 
 
 ## Recipes
-Collection of useful configurations use cases are available over at [recipes](/recipes).
+Collection of useful configuration use cases are available over at [recipes](/recipes).
 
 
 ## Events
@@ -114,7 +115,6 @@ actions and i.e. emit metrics that react to specific triggers. See the list of a
 [discovery]: https://openid.net/specs/openid-connect-discovery-1_0.html
 [oauth2-registration]: https://www.rfc-editor.org/rfc/rfc7591.html
 [registration]: https://openid.net/specs/openid-connect-registration-1_0.html
-[form-post]: https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
 [oauth2]: https://www.rfc-editor.org/rfc/rfc6749.html
 [oauth2-bearer]: https://www.rfc-editor.org/rfc/rfc6750.html
 [revocation]: https://www.rfc-editor.org/rfc/rfc7009.html
diff --git a/docs/README.md b/docs/README.md
index 8e054646a..091947a00 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -623,7 +623,7 @@ new Provider('http://localhost:3000', {
 
 ### features.backchannelLogout
 
-[Back-Channel Logout 1.0](https://openid.net/specs/openid-connect-backchannel-1_0-final.html)  
+[`OIDC Back-Channel Logout 1.0`](https://openid.net/specs/openid-connect-backchannel-1_0-final.html)  
 
 Enables Back-Channel Logout features.  
 
@@ -637,9 +637,9 @@ _**default value**_:
 
 ### features.ciba
 
-[OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html)  
+[OIDC Client Initiated Backchannel Authentication Flow (`CIBA`)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html)  
 
-Enables Core CIBA Flow, when combined with `features.fapi` and `features.requestObjects.request` enables [Financial-grade API: Client Initiated Backchannel Authentication Profile - Implementer's Draft 01](https://openid.net/specs/openid-financial-api-ciba-ID1.html) as well.   
+Enables Core `CIBA` Flow, when combined with `features.fapi` and `features.requestObjects.request` enables [Financial-grade API: Client Initiated Backchannel Authentication Profile - Implementer's Draft 01](https://openid.net/specs/openid-financial-api-ciba-ID1.html) as well.   
   
 
 
@@ -682,7 +682,7 @@ _**default value**_:
 Helper function used to process the login_hint parameter and return the accountId value to use for processsing the request.   
   
 
-_**recommendation**_: Use `throw errors.InvalidRequest('validation error message')` when login_hint is invalid.  
+_**recommendation**_: Use `throw new errors.InvalidRequest('validation error message')` when login_hint is invalid.  
 
 _**recommendation**_: Use `return undefined` or when you can't determine the accountId from the login_hint.  
 
@@ -701,9 +701,9 @@ async function processLoginHint(ctx, loginHint) {
 Helper function used to process the login_hint_token parameter and return the accountId value to use for processsing the request.   
   
 
-_**recommendation**_: Use `throw errors.ExpiredLoginHintToken('validation error message')` when login_hint_token is expired.  
+_**recommendation**_: Use `throw new errors.ExpiredLoginHintToken('validation error message')` when login_hint_token is expired.  
 
-_**recommendation**_: Use `throw errors.InvalidRequest('validation error message')` when login_hint_token is invalid.  
+_**recommendation**_: Use `throw new errors.InvalidRequest('validation error message')` when login_hint_token is invalid.  
 
 _**recommendation**_: Use `return undefined` or when you can't determine the accountId from the login_hint.  
 
@@ -759,7 +759,7 @@ await provider.backchannelResult(...);
 Helper function used to process the binding_message parameter and throw if its not following the authorization server's policy.   
   
 
-_**recommendation**_: Use `throw errors.InvalidBindingMessage('validation error message')` when the binding_message is invalid.  
+_**recommendation**_: Use `throw new errors.InvalidBindingMessage('validation error message')` when the binding_message is invalid.  
 
 _**recommendation**_: Use `return undefined` when a binding_message isn't required and wasn't provided.  
 
@@ -780,7 +780,7 @@ async function validateBindingMessage(ctx, bindingMessage) {
 Helper function used to process the request_context parameter and throw if its not following the authorization server's policy.   
   
 
-_**recommendation**_: Use `throw errors.InvalidRequest('validation error message')` when the request_context is required by policy and missing or invalid.  
+_**recommendation**_: Use `throw new errors.InvalidRequest('validation error message')` when the request_context is required by policy and missing or invalid.  
 
 _**recommendation**_: Use `return undefined` when a request_context isn't required and wasn't provided.  
 
@@ -799,9 +799,9 @@ async function validateRequestContext(ctx, requestContext) {
 Helper function used to verify the user_code parameter value is present when required and verify its value.   
   
 
-_**recommendation**_: Use `throw errors.MissingUserCode('validation error message')` when user_code should have been provided but wasn't.  
+_**recommendation**_: Use `throw new errors.MissingUserCode('validation error message')` when user_code should have been provided but wasn't.  
 
-_**recommendation**_: Use `throw errors.InvalidUserCode('validation error message')` when the provided user_code is invalid.  
+_**recommendation**_: Use `throw new errors.InvalidUserCode('validation error message')` when the provided user_code is invalid.  
 
 _**recommendation**_: Use `return undefined` when no user_code was provided and isn't required.  
 
@@ -820,7 +820,7 @@ async function verifyUserCode(ctx, account, userCode) {
 
 ### features.claimsParameter
 
-[Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter) - Requesting Claims using the "claims" Request Parameter  
+[`OIDC Core 1.0`](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter) - Requesting Claims using the "claims" Request Parameter  
 
 Enables the use and validations of `claims` parameter as described in the specification.   
   
@@ -835,7 +835,7 @@ _**default value**_:
 
 ### features.clientCredentials
 
-[RFC6749](https://www.rfc-editor.org/rfc/rfc6749.html#section-1.3.4) - Client Credentials  
+[`RFC6749`](https://www.rfc-editor.org/rfc/rfc6749.html#section-1.3.4) - Client Credentials  
 
 Enables `grant_type=client_credentials` to be used on the token endpoint.  
 
@@ -849,7 +849,7 @@ _**default value**_:
 
 ### features.dPoP
 
-[draft-ietf-oauth-dpop-11](https://tools.ietf.org/html/draft-ietf-oauth-dpop-11) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)  
+[draft-ietf-oauth-dpop-11](https://tools.ietf.org/html/draft-ietf-oauth-dpop-11) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`)  
 
 Enables `DPoP` - mechanism for sender-constraining tokens via a proof-of-possession mechanism on the application level. Browser DPoP proof generation [here](https://www.npmjs.com/package/dpop).   
   
@@ -909,7 +909,7 @@ _**default value**_:
 
 ### features.deviceFlow
 
-[RFC8628](https://www.rfc-editor.org/rfc/rfc8628.html) - OAuth 2.0 Device Authorization Grant (Device Flow)  
+[`RFC8628`](https://www.rfc-editor.org/rfc/rfc8628.html) - OAuth 2.0 Device Authorization Grant (`Device Flow`)  
 
 Enables Device Authorization Grant  
 
@@ -1095,7 +1095,7 @@ _**default value**_:
 
 ### features.fapi
 
-Financial-grade API Security Profile  
+Financial-grade API Security Profile (`FAPI`)  
 
 Enables extra Authorization Server behaviours defined in FAPI that cannot be achieved by other configuration options.  
 
@@ -1113,10 +1113,10 @@ _**default value**_:
 
 #### profile
 
-The specific profile of FAPI to enable. Supported values are:   
+The specific profile of `FAPI` to enable. Supported values are:   
  - '1.0 Final' Enables behaviours from [Financial-grade API Security Profile 1.0 - Part 2: Advanced](https://openid.net/specs/openid-financial-api-part-2-1_0.html)
  - '1.0 ID2' Enables behaviours from [Financial-grade API - Part 2: Read and Write API Security Profile - Implementer's Draft 02](https://openid.net/specs/openid-financial-api-part-2-ID2.html)
- - Function returning one of the other supported values, or undefined if FAPI behaviours are to be ignored. The function is invoked with two arguments `(ctx, client)` and serves the purpose of allowing the used profile to be context-specific.  
+ - Function returning one of the other supported values, or undefined if `FAPI` behaviours are to be ignored. The function is invoked with two arguments `(ctx, client)` and serves the purpose of allowing the used profile to be context-specific.  
 
 
 _**default value**_:
@@ -1128,7 +1128,7 @@ undefined
 
 ### features.introspection
 
-[RFC7662](https://www.rfc-editor.org/rfc/rfc7662.html) - OAuth 2.0 Token Introspection  
+[`RFC7662`](https://www.rfc-editor.org/rfc/rfc7662.html) - OAuth 2.0 Token Introspection  
 
 Enables Token Introspection for:
  - opaque access tokens
@@ -1184,7 +1184,7 @@ _**default value**_:
 
 ### features.jwtResponseModes
 
-[JWT Secured Authorization Response Mode (JARM)](https://openid.net/specs/oauth-v2-jarm.html)  
+[JWT Secured Authorization Response Mode (`JARM`)](https://openid.net/specs/oauth-v2-jarm.html)  
 
 Enables JWT Secured Authorization Responses  
 
@@ -1198,7 +1198,7 @@ _**default value**_:
 
 ### features.jwtUserinfo
 
-[Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) - JWT UserInfo Endpoint Responses  
+[`OIDC Core 1.0`](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) - JWT UserInfo Endpoint Responses  
 
 Enables the userinfo to optionally return signed and/or encrypted JWTs, also enables the relevant client metadata for setting up signing and/or encryption.  
 
@@ -1212,7 +1212,7 @@ _**default value**_:
 
 ### features.mTLS
 
-[RFC8705](https://www.rfc-editor.org/rfc/rfc8705.html) - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (MTLS)  
+[`RFC8705`](https://www.rfc-editor.org/rfc/rfc8705.html) - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (`MTLS`)  
 
 Enables specific features from the Mutual TLS specification. The three main features have their own specific setting in this feature's configuration object and you must provide functions for resolving some of the functions which are deployment-specific.   
   
@@ -1348,7 +1348,7 @@ false
 
 ### features.pushedAuthorizationRequests
 
-[RFC9126](https://www.rfc-editor.org/rfc/rfc9126.html) - OAuth 2.0 Pushed Authorization Requests (PAR)  
+[`RFC9126`](https://www.rfc-editor.org/rfc/rfc9126.html) - OAuth 2.0 Pushed Authorization Requests (`PAR`)  
 
 Enables the use of `pushed_authorization_request_endpoint` defined by the Pushed Authorization Requests RFC.  
 
@@ -1366,7 +1366,7 @@ _**default value**_:
 
 #### requirePushedAuthorizationRequests
 
-Makes the use of PAR required for all authorization requests as an OP policy.  
+Makes the use of `PAR` required for all authorization requests as an OP policy.  
 
 
 _**default value**_:
@@ -1378,7 +1378,7 @@ false
 
 ### features.registration
 
-[Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html)  
+[`Dynamic Client Registration 1.0`](https://openid.net/specs/openid-connect-registration-1_0.html) and [`RFC7591` - OAuth 2.0 Dynamic Client Registration Protocol](https://www.rfc-editor.org/rfc/rfc7591.html)  
 
 Enables Dynamic Client Registration.  
 
@@ -1578,7 +1578,7 @@ true
 
 ### features.requestObjects
 
-[Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject) and [JWT Secured Authorization Request (JAR)](https://www.rfc-editor.org/rfc/rfc9101.html) - Request Object  
+[`OIDC Core 1.0`](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject) and [JWT Secured Authorization Request (`JAR`)](https://www.rfc-editor.org/rfc/rfc9101.html) - Request Object  
 
 Enables the use and validations of the `request` and/or `request_uri` parameters.  
 
@@ -1601,8 +1601,8 @@ _**default value**_:
 
 defines the provider's strategy when it comes to using regular OAuth 2.0 parameters that are present. Parameters inside the Request Object are ALWAYS used, this option controls whether to combine those with the regular ones or not.   
  Supported values are:   
- - 'lax' (default) This is the behaviour expected by OIDC Core 1.0 - all parameters that are not present in the Resource Object are used when resolving the authorization request.
- - 'strict' This is the behaviour expected by FAPI or JAR, all parameters outside of the Request Object are ignored. For FAPI and FAPI-CIBA this value is enforced.   
+ - 'lax' This is the behaviour expected by `OIDC Core 1.0` - all parameters that are not present in the Resource Object are used when resolving the authorization request.
+ - 'strict' (default) All parameters outside of the Request Object are ignored. For `PAR`, `FAPI`, and `CIBA` this value is enforced.   
   
 
 
@@ -1655,7 +1655,7 @@ true
 
 ### features.resourceIndicators
 
-[RFC8707](https://www.rfc-editor.org/rfc/rfc8707.html) - Resource Indicators for OAuth 2.0  
+[`RFC8707`](https://www.rfc-editor.org/rfc/rfc8707.html) - Resource Indicators for OAuth 2.0  
 
 Enables the use of `resource` parameter for the authorization and token endpoints to enable issuing Access Tokens for Resource Servers (APIs).   
  - Multiple resource parameters may be present during Authorization Code Flow, Device Authorization Grant, and Backchannel Authentication Requests, but only a single audience for an Access Token is permitted.
@@ -1821,7 +1821,7 @@ async function useGrantedResource(ctx, model) {
 
 ### features.revocation
 
-[RFC7009](https://www.rfc-editor.org/rfc/rfc7009.html) - OAuth 2.0 Token Revocation  
+[`RFC7009`](https://www.rfc-editor.org/rfc/rfc7009.html) - OAuth 2.0 Token Revocation  
 
 Enables Token Revocation for:
  - opaque access tokens
@@ -1838,7 +1838,7 @@ _**default value**_:
 
 ### features.rpInitiatedLogout
 
-[RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html)  
+[`OIDC RP-Initiated Logout 1.0`](https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html)  
 
 Enables RP-Initiated Logout features  
 
@@ -1915,7 +1915,7 @@ async function postLogoutSuccessSource(ctx) {
 
 ### features.userinfo
 
-[Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) - UserInfo Endpoint  
+[`OIDC Core 1.0`](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) - UserInfo Endpoint  
 
 Enables the userinfo endpoint. Its use requires an opaque Access Token with at least `openid` scope that's without a Resource Server audience.  
 
@@ -2096,7 +2096,7 @@ _**default value**_:
 
 ID Token only contains End-User claims when the requested `response_type` is `id_token`  
 
-[Core 1.0 - Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) defines that claims requested using the `scope` parameter are only returned from the UserInfo Endpoint unless the `response_type` is `id_token`.   
+[`OIDC Core 1.0` - Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) defines that claims requested using the `scope` parameter are only returned from the UserInfo Endpoint unless the `response_type` is `id_token`.   
  Despite of this configuration the ID Token always includes claims requested using the `scope` parameter when the userinfo endpoint is disabled, or when issuing an Access Token not applicable for access to the userinfo endpoint.   
   
 
@@ -2680,7 +2680,7 @@ async function loadExistingGrant(ctx) {
 
 ### pairwiseIdentifier
 
-Function used by the OP when resolving pairwise ID Token and Userinfo sub claim values. See [Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg)  
+Function used by the OP when resolving pairwise ID Token and Userinfo sub claim values. See [`OIDC Core 1.0`](https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg)  
 
 _**recommendation**_: Since this might be called several times in one request with the same arguments consider using memoization or otherwise caching the result based on account and client ids.  
 
@@ -2698,9 +2698,9 @@ async function pairwiseIdentifier(ctx, accountId, client) {
 
 ### pkce
 
-[RFC7636 - Proof Key for Code Exchange (PKCE)](https://www.rfc-editor.org/rfc/rfc7636.html)  
+[`RFC7636` - Proof Key for Code Exchange (`PKCE`)](https://www.rfc-editor.org/rfc/rfc7636.html)  
 
-PKCE configuration such as available methods and policy check on required use of PKCE  
+`PKCE` configuration such as available methods and policy check on required use of `PKCE`  
 
 
 ### pkce.methods
@@ -2719,8 +2719,8 @@ _**default value**_:
 
 ### pkce.required
 
-Configures if and when the OP requires clients to use PKCE. This helper is called whenever an authorization request lacks the code_challenge parameter. Return
- - `false` to allow the request to continue without PKCE
+Configures if and when the OP requires clients to use `PKCE`. This helper is called whenever an authorization request lacks the code_challenge parameter. Return
+ - `false` to allow the request to continue without `PKCE`
  - `true` to abort the request  
 
 
@@ -2773,7 +2773,7 @@ _**default value**_:
 <a id="response-types-supported-values-list"></a><details><summary>(Click to expand) Supported values list</summary><br>
 
 
-These are values defined in [Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#Authentication) and [OAuth 2.0 Multiple Response Type Encoding Practices](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html)
+These are values defined in [`OIDC Core 1.0`](https://openid.net/specs/openid-connect-core-1_0.html#Authentication) and [OAuth 2.0 Multiple Response Type Encoding Practices](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html)
   
 
 ```js
@@ -2970,12 +2970,10 @@ Configure `ttl` for a given token type with a function like so, this must return
 
 Fine-tune the algorithms your provider will support by declaring algorithm values for each respective JWA use  
 
-_**recommendation**_: Only allow JWA algs that are necessary. The current defaults are based on recommendations from the [JWA specification](https://www.rfc-editor.org/rfc/rfc7518.html) + enables RSASSA-PSS based on current guidance in FAPI. "none" JWT algs are disabled by default but available if you need them.  
-
 
 ### enabledJWA.authorizationEncryptionAlgValues
 
-JWE "alg" Algorithm values the provider supports for JWT Authorization response (JARM) encryption   
+JWE "alg" Algorithm values the provider supports for JWT Authorization response (`JARM`) encryption   
   
 
 
@@ -3009,7 +3007,7 @@ _**default value**_:
 
 ### enabledJWA.authorizationEncryptionEncValues
 
-JWE "enc" Content Encryption Algorithm values the provider supports to encrypt JWT Authorization Responses (JARM) with   
+JWE "enc" Content Encryption Algorithm values the provider supports to encrypt JWT Authorization Responses (`JARM`) with   
   
 
 
@@ -3034,7 +3032,7 @@ _**default value**_:
 
 ### enabledJWA.authorizationSigningAlgValues
 
-JWS "alg" Algorithm values the provider supports to sign JWT Authorization Responses (JARM) with   
+JWS "alg" Algorithm values the provider supports to sign JWT Authorization Responses (`JARM`) with   
   
 
 
@@ -3295,7 +3293,7 @@ _**default value**_:
 
 ### enabledJWA.requestObjectEncryptionAlgValues
 
-JWE "alg" Algorithm values the provider supports to receive encrypted Request Objects (JAR) with   
+JWE "alg" Algorithm values the provider supports to receive encrypted Request Objects (`JAR`) with   
   
 
 
@@ -3329,7 +3327,7 @@ _**default value**_:
 
 ### enabledJWA.requestObjectEncryptionEncValues
 
-JWE "enc" Content Encryption Algorithm values the provider supports to decrypt Request Objects (JAR) with   
+JWE "enc" Content Encryption Algorithm values the provider supports to decrypt Request Objects (`JAR`) with   
   
 
 
@@ -3354,7 +3352,7 @@ _**default value**_:
 
 ### enabledJWA.requestObjectSigningAlgValues
 
-JWS "alg" Algorithm values the provider supports to receive signed Request Objects (JAR) with   
+JWS "alg" Algorithm values the provider supports to receive signed Request Objects (`JAR`) with   
   
 
 
diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
index bb3aecb29..718cadbcf 100644
--- a/lib/helpers/defaults.js
+++ b/lib/helpers/defaults.js
@@ -681,7 +681,7 @@ function makeDefaults() {
      *
      * title: ID Token only contains End-User claims when the requested `response_type` is `id_token`
      *
-     * description: [Core 1.0 - Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
+     * description: [`OIDC Core 1.0` - Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
      * defines that claims requested using the `scope` parameter are only returned from the UserInfo
      * Endpoint unless the `response_type` is `id_token`.
      *
@@ -871,7 +871,7 @@ function makeDefaults() {
       /*
        * features.dPoP
        *
-       * title: [draft-ietf-oauth-dpop-11](https://tools.ietf.org/html/draft-ietf-oauth-dpop-11) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)
+       * title: [draft-ietf-oauth-dpop-11](https://tools.ietf.org/html/draft-ietf-oauth-dpop-11) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`)
        *
        * description: Enables `DPoP` - mechanism for sender-constraining tokens via a
        * proof-of-possession mechanism on the application level. Browser DPoP proof generation
@@ -904,7 +904,7 @@ function makeDefaults() {
       /*
        * features.backchannelLogout
        *
-       * title: [Back-Channel Logout 1.0](https://openid.net/specs/openid-connect-backchannel-1_0-final.html)
+       * title: [`OIDC Back-Channel Logout 1.0`](https://openid.net/specs/openid-connect-backchannel-1_0-final.html)
        *
        * description: Enables Back-Channel Logout features.
        */
@@ -913,9 +913,9 @@ function makeDefaults() {
       /*
        * features.ciba
        *
-       * title: [OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html)
+       * title: [OIDC Client Initiated Backchannel Authentication Flow (`CIBA`)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html)
        *
-       * description: Enables Core CIBA Flow, when combined with `features.fapi` and `features.requestObjects.request` enables [Financial-grade API: Client Initiated Backchannel Authentication Profile - Implementer's Draft 01](https://openid.net/specs/openid-financial-api-ciba-ID1.html) as well.
+       * description: Enables Core `CIBA` Flow, when combined with `features.fapi` and `features.requestObjects.request` enables [Financial-grade API: Client Initiated Backchannel Authentication Profile - Implementer's Draft 01](https://openid.net/specs/openid-financial-api-ciba-ID1.html) as well.
        *
        */
       ciba: {
@@ -963,7 +963,7 @@ function makeDefaults() {
          *
          * description: Helper function used to process the binding_message parameter and throw if its not following the authorization server's policy.
          *
-         * recommendation: Use `throw errors.InvalidBindingMessage('validation error message')` when the binding_message is invalid.
+         * recommendation: Use `throw new errors.InvalidBindingMessage('validation error message')` when the binding_message is invalid.
          * recommendation: Use `return undefined` when a binding_message isn't required and wasn't provided.
          *
          */
@@ -974,7 +974,7 @@ function makeDefaults() {
          *
          * description: Helper function used to process the request_context parameter and throw if its not following the authorization server's policy.
          *
-         * recommendation: Use `throw errors.InvalidRequest('validation error message')` when the request_context is required by policy and missing or
+         * recommendation: Use `throw new errors.InvalidRequest('validation error message')` when the request_context is required by policy and missing or
          * invalid.
          * recommendation: Use `return undefined` when a request_context isn't required and wasn't provided.
          *
@@ -986,8 +986,8 @@ function makeDefaults() {
          *
          * description: Helper function used to process the login_hint_token parameter and return the accountId value to use for processsing the request.
          *
-         * recommendation: Use `throw errors.ExpiredLoginHintToken('validation error message')` when login_hint_token is expired.
-         * recommendation: Use `throw errors.InvalidRequest('validation error message')` when login_hint_token is invalid.
+         * recommendation: Use `throw new errors.ExpiredLoginHintToken('validation error message')` when login_hint_token is expired.
+         * recommendation: Use `throw new errors.InvalidRequest('validation error message')` when login_hint_token is invalid.
          * recommendation: Use `return undefined` or when you can't determine the accountId from the login_hint.
          *
          */
@@ -998,7 +998,7 @@ function makeDefaults() {
          *
          * description: Helper function used to process the login_hint parameter and return the accountId value to use for processsing the request.
          *
-         * recommendation: Use `throw errors.InvalidRequest('validation error message')` when login_hint is invalid.
+         * recommendation: Use `throw new errors.InvalidRequest('validation error message')` when login_hint is invalid.
          * recommendation: Use `return undefined` or when you can't determine the accountId from the login_hint.
          *
          */
@@ -1009,8 +1009,8 @@ function makeDefaults() {
          *
          * description: Helper function used to verify the user_code parameter value is present when required and verify its value.
          *
-         * recommendation: Use `throw errors.MissingUserCode('validation error message')` when user_code should have been provided but wasn't.
-         * recommendation: Use `throw errors.InvalidUserCode('validation error message')` when the provided user_code is invalid.
+         * recommendation: Use `throw new errors.MissingUserCode('validation error message')` when user_code should have been provided but wasn't.
+         * recommendation: Use `throw new errors.InvalidUserCode('validation error message')` when the provided user_code is invalid.
          * recommendation: Use `return undefined` when no user_code was provided and isn't required.
          *
          */
@@ -1020,7 +1020,7 @@ function makeDefaults() {
       /*
        * features.mTLS
        *
-       * title: [RFC8705](https://www.rfc-editor.org/rfc/rfc8705.html) - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (MTLS)
+       * title: [`RFC8705`](https://www.rfc-editor.org/rfc/rfc8705.html) - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (`MTLS`)
        *
        * description: Enables specific features from the Mutual TLS specification. The three main
        * features have their own specific setting in this feature's configuration object and
@@ -1151,7 +1151,7 @@ function makeDefaults() {
       /*
        * features.claimsParameter
        *
-       * title: [Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter) - Requesting Claims using the "claims" Request Parameter
+       * title: [`OIDC Core 1.0`](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter) - Requesting Claims using the "claims" Request Parameter
        *
        * description: Enables the use and validations of `claims` parameter as described in the
        * specification.
@@ -1162,7 +1162,7 @@ function makeDefaults() {
       /*
        * features.clientCredentials
        *
-       * title: [RFC6749](https://www.rfc-editor.org/rfc/rfc6749.html#section-1.3.4) - Client Credentials
+       * title: [`RFC6749`](https://www.rfc-editor.org/rfc/rfc6749.html#section-1.3.4) - Client Credentials
        *
        * description: Enables `grant_type=client_credentials` to be used on the token endpoint.
        */
@@ -1171,7 +1171,7 @@ function makeDefaults() {
       /*
        * features.deviceFlow
        *
-       * title: [RFC8628](https://www.rfc-editor.org/rfc/rfc8628.html) - OAuth 2.0 Device Authorization Grant (Device Flow)
+       * title: [`RFC8628`](https://www.rfc-editor.org/rfc/rfc8628.html) - OAuth 2.0 Device Authorization Grant (`Device Flow`)
        *
        * description: Enables Device Authorization Grant
        */
@@ -1241,7 +1241,7 @@ function makeDefaults() {
       /*
        * features.fapi
        *
-       * title: Financial-grade API Security Profile
+       * title: Financial-grade API Security Profile (`FAPI`)
        *
        * description: Enables extra Authorization Server behaviours defined in FAPI that cannot be
        * achieved by other configuration options.
@@ -1251,11 +1251,11 @@ function makeDefaults() {
         /*
          * features.fapi.profile
          *
-         * description: The specific profile of FAPI to enable. Supported values are:
+         * description: The specific profile of `FAPI` to enable. Supported values are:
          *
          * - '1.0 Final' Enables behaviours from [Financial-grade API Security Profile 1.0 - Part 2: Advanced](https://openid.net/specs/openid-financial-api-part-2-1_0.html)
          * - '1.0 ID2' Enables behaviours from [Financial-grade API - Part 2: Read and Write API Security Profile - Implementer's Draft 02](https://openid.net/specs/openid-financial-api-part-2-ID2.html)
-         * - Function returning one of the other supported values, or undefined if FAPI behaviours are to be ignored. The function is invoked with two arguments `(ctx, client)` and serves the purpose of allowing the used profile to be context-specific.
+         * - Function returning one of the other supported values, or undefined if `FAPI` behaviours are to be ignored. The function is invoked with two arguments `(ctx, client)` and serves the purpose of allowing the used profile to be context-specific.
          */
         profile: undefined,
       },
@@ -1263,7 +1263,7 @@ function makeDefaults() {
       /*
        * features.rpInitiatedLogout
        *
-       * title: [RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html)
+       * title: [`OIDC RP-Initiated Logout 1.0`](https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html)
        *
        * description: Enables RP-Initiated Logout features
        */
@@ -1290,7 +1290,7 @@ function makeDefaults() {
       /*
        * features.introspection
        *
-       * title: [RFC7662](https://www.rfc-editor.org/rfc/rfc7662.html) - OAuth 2.0 Token Introspection
+       * title: [`RFC7662`](https://www.rfc-editor.org/rfc/rfc7662.html) - OAuth 2.0 Token Introspection
        *
        * description: Enables Token Introspection for:
        *   - opaque access tokens
@@ -1327,7 +1327,7 @@ function makeDefaults() {
       /*
        * features.jwtResponseModes
        *
-       * title: [JWT Secured Authorization Response Mode (JARM)](https://openid.net/specs/oauth-v2-jarm.html)
+       * title: [JWT Secured Authorization Response Mode (`JARM`)](https://openid.net/specs/oauth-v2-jarm.html)
        *
        * description: Enables JWT Secured Authorization Responses
        */
@@ -1336,7 +1336,7 @@ function makeDefaults() {
       /*
        * features.pushedAuthorizationRequests
        *
-       * title: [RFC9126](https://www.rfc-editor.org/rfc/rfc9126.html) - OAuth 2.0 Pushed Authorization Requests (PAR)
+       * title: [`RFC9126`](https://www.rfc-editor.org/rfc/rfc9126.html) - OAuth 2.0 Pushed Authorization Requests (`PAR`)
        *
        * description: Enables the use of `pushed_authorization_request_endpoint` defined by the Pushed
        * Authorization Requests RFC.
@@ -1347,7 +1347,7 @@ function makeDefaults() {
         /*
          * features.pushedAuthorizationRequests.requirePushedAuthorizationRequests
          *
-         * description: Makes the use of PAR required for all authorization
+         * description: Makes the use of `PAR` required for all authorization
          * requests as an OP policy.
          */
         requirePushedAuthorizationRequests: false,
@@ -1356,7 +1356,7 @@ function makeDefaults() {
       /*
        * features.registration
        *
-       * title: [Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html)
+       * title: [`Dynamic Client Registration 1.0`](https://openid.net/specs/openid-connect-registration-1_0.html) and [`RFC7591` - OAuth 2.0 Dynamic Client Registration Protocol](https://www.rfc-editor.org/rfc/rfc7591.html)
        *
        * description: Enables Dynamic Client Registration.
        */
@@ -1517,7 +1517,7 @@ function makeDefaults() {
       /*
        * features.resourceIndicators
        *
-       * title: [RFC8707](https://www.rfc-editor.org/rfc/rfc8707.html) - Resource Indicators for OAuth 2.0
+       * title: [`RFC8707`](https://www.rfc-editor.org/rfc/rfc8707.html) - Resource Indicators for OAuth 2.0
        *
        * description: Enables the use of `resource` parameter for the authorization and token
        *   endpoints to enable issuing Access Tokens for Resource Servers (APIs).
@@ -1673,7 +1673,7 @@ function makeDefaults() {
       /*
        * features.requestObjects
        *
-       * title: [Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject) and [JWT Secured Authorization Request (JAR)](https://www.rfc-editor.org/rfc/rfc9101.html) - Request Object
+       * title: [`OIDC Core 1.0`](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject) and [JWT Secured Authorization Request (`JAR`)](https://www.rfc-editor.org/rfc/rfc9101.html) - Request Object
        *
        * description: Enables the use and validations of the `request` and/or `request_uri`
        *   parameters.
@@ -1718,11 +1718,11 @@ function makeDefaults() {
          *
          * Supported values are:
          *
-         * - 'lax' (default) This is the behaviour expected by OIDC Core 1.0 - all parameters that
+         * - 'lax' This is the behaviour expected by `OIDC Core 1.0` - all parameters that
          *   are not present in the Resource Object are used when resolving the authorization
          *   request.
-         * - 'strict' This is the behaviour expected by FAPI or JAR, all parameters outside of the
-         *   Request Object are ignored. For FAPI and FAPI-CIBA this value is enforced.
+         * - 'strict' (default) All parameters outside of the
+         *   Request Object are ignored. For `PAR`, `FAPI`, and `CIBA` this value is enforced.
          *
          */
         mode: 'strict',
@@ -1731,7 +1731,7 @@ function makeDefaults() {
       /*
        * features.revocation
        *
-       * title: [RFC7009](https://www.rfc-editor.org/rfc/rfc7009.html) - OAuth 2.0 Token Revocation
+       * title: [`RFC7009`](https://www.rfc-editor.org/rfc/rfc7009.html) - OAuth 2.0 Token Revocation
        *
        * description: Enables Token Revocation for:
        *   - opaque access tokens
@@ -1743,7 +1743,7 @@ function makeDefaults() {
       /*
        * features.userinfo
        *
-       * title: [Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) - UserInfo Endpoint
+       * title: [`OIDC Core 1.0`](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) - UserInfo Endpoint
        *
        * description: Enables the userinfo endpoint. Its use requires an opaque Access Token with at least
        * `openid` scope that's without a Resource Server audience.
@@ -1753,7 +1753,7 @@ function makeDefaults() {
       /*
        * features.jwtUserinfo
        *
-       * title: [Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) - JWT UserInfo Endpoint Responses
+       * title: [`OIDC Core 1.0`](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) - JWT UserInfo Endpoint Responses
        *
        * description: Enables the userinfo to optionally return signed and/or encrypted JWTs, also
        * enables the relevant client metadata for setting up signing and/or encryption.
@@ -1939,7 +1939,7 @@ function makeDefaults() {
      * You can still enable them if you need to.
      *
      * example: Supported values list
-     * These are values defined in [Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#Authentication)
+     * These are values defined in [`OIDC Core 1.0`](https://openid.net/specs/openid-connect-core-1_0.html#Authentication)
      * and [OAuth 2.0 Multiple Response Type Encoding Practices](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html)
      * ```js
      * [
@@ -1959,9 +1959,9 @@ function makeDefaults() {
 
     /*
      * pkce
-     * title: [RFC7636 - Proof Key for Code Exchange (PKCE)](https://www.rfc-editor.org/rfc/rfc7636.html)
-     * description: PKCE configuration such as available methods and policy check on required use of
-     * PKCE
+     * title: [`RFC7636` - Proof Key for Code Exchange (`PKCE`)](https://www.rfc-editor.org/rfc/rfc7636.html)
+     * description: `PKCE` configuration such as available methods and policy check on required use of
+     * `PKCE`
      * @nodefault
      */
     pkce: {
@@ -1977,10 +1977,10 @@ function makeDefaults() {
       /*
        * pkce.required
        *
-       * description: Configures if and when the OP requires clients to use PKCE. This helper is called
+       * description: Configures if and when the OP requires clients to use `PKCE`. This helper is called
        * whenever an authorization request lacks the code_challenge parameter.
        * Return
-       *   - `false` to allow the request to continue without PKCE
+       *   - `false` to allow the request to continue without `PKCE`
        *   - `true` to abort the request
        */
       required: pkceRequired,
@@ -2030,7 +2030,7 @@ function makeDefaults() {
      * pairwiseIdentifier
      *
      * description: Function used by the OP when resolving pairwise ID Token and Userinfo sub claim
-     *   values. See [Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg)
+     *   values. See [`OIDC Core 1.0`](https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg)
      * recommendation: Since this might be called several times in one request with the same arguments
      *   consider using memoization or otherwise caching the result based on account and client
      *   ids.
@@ -2276,10 +2276,6 @@ function makeDefaults() {
      *
      * description: Fine-tune the algorithms your provider will support by declaring algorithm
      *   values for each respective JWA use
-     * recommendation: Only allow JWA algs that are necessary. The current defaults are based on
-     * recommendations from the [JWA specification](https://www.rfc-editor.org/rfc/rfc7518.html) + enables
-     * RSASSA-PSS based on current guidance in FAPI. "none" JWT algs are disabled by default but
-     * available if you need them.
      * @nodefault
      */
     enabledJWA: {
@@ -2327,7 +2323,7 @@ function makeDefaults() {
       /*
        * enabledJWA.requestObjectSigningAlgValues
        *
-       * description: JWS "alg" Algorithm values the provider supports to receive signed Request Objects (JAR) with
+       * description: JWS "alg" Algorithm values the provider supports to receive signed Request Objects (`JAR`) with
        *
        * example: Supported values list
        * ```js
@@ -2387,7 +2383,7 @@ function makeDefaults() {
       /*
        * enabledJWA.authorizationSigningAlgValues
        *
-       * description: JWS "alg" Algorithm values the provider supports to sign JWT Authorization Responses (JARM) with
+       * description: JWS "alg" Algorithm values the provider supports to sign JWT Authorization Responses (`JARM`) with
        *
        * example: Supported values list
        * ```js
@@ -2430,7 +2426,7 @@ function makeDefaults() {
       /*
        * enabledJWA.requestObjectEncryptionAlgValues
        *
-       * description: JWE "alg" Algorithm values the provider supports to receive encrypted Request Objects (JAR) with
+       * description: JWE "alg" Algorithm values the provider supports to receive encrypted Request Objects (`JAR`) with
        *
        * example: Supported values list
        * ```js
@@ -2500,7 +2496,7 @@ function makeDefaults() {
       /*
        * enabledJWA.authorizationEncryptionAlgValues
        *
-       * description: JWE "alg" Algorithm values the provider supports for JWT Authorization response (JARM)
+       * description: JWE "alg" Algorithm values the provider supports for JWT Authorization response (`JARM`)
        * encryption
        *
        * example: Supported values list
@@ -2540,7 +2536,7 @@ function makeDefaults() {
       /*
        * enabledJWA.requestObjectEncryptionEncValues
        *
-       * description: JWE "enc" Content Encryption Algorithm values the provider supports to decrypt Request Objects (JAR) with
+       * description: JWE "enc" Content Encryption Algorithm values the provider supports to decrypt Request Objects (`JAR`) with
        *
        * example: Supported values list
        * ```js
@@ -2588,7 +2584,7 @@ function makeDefaults() {
       /*
        * enabledJWA.authorizationEncryptionEncValues
        *
-       * description: JWE "enc" Content Encryption Algorithm values the provider supports to encrypt JWT Authorization Responses (JARM) with
+       * description: JWE "enc" Content Encryption Algorithm values the provider supports to encrypt JWT Authorization Responses (`JARM`) with
        *
        * example: Supported values list
        * ```js