Is it possible for the OAuth callback url to be self-hosted on a free/OSS plan too? otherwise it would allow the cloud hosted app to intercept the token exchange flow of a client credential grant, wouldn’t it?