The custom cart items documentation states:
Custom Cart Items are available via implicit authentication . You should always check each order has the correct details for each item, most importantly, price.
However I’m unsure where an opportune time to perform this check would be because the implicit grant type allows users to bypass our servers and add a custom item to the cart as well as checkout and pay – any help would be much appreciated?
EDIT: The more I think about this the check must be done at the time a custom item is added to the cart because the price could change from the time between add to cart and checkout / pay / post sales. I really feel for this to be viable we need to disable implicit grants?