I am looking at the Accept Hosted documentation and sample app, and I am not seeing a way to verify on the server-side whether or not the transResponse.authorization returned from the client via the window.CommunicationHandler is valid.

Am I missing something?  These values could be easily intercepted & changed by malicious users using browser dev tools, so we should be using server-side checks to validate that the payment transaction data is legit.

Yet nowhere in the documentation does Authorize.net suggest to even perform such a check.  Doesn't this seem like a rather large oversight?  If the application layer doesn't verify the client-side-provided transaction data, then anyone could run an order through such a system and potentially cause the application to think that an order has been paid when no payment transaction was actually run.