diff --git a/sigstore/_internal/oidc/oauth.py b/sigstore/_internal/oidc/oauth.py
index 54f86f49c..439f0cfdd 100644
--- a/sigstore/_internal/oidc/oauth.py
+++ b/sigstore/_internal/oidc/oauth.py
@@ -130,7 +130,7 @@ def __exit__(
 
 
 class _OAuthRedirectHandler(http.server.BaseHTTPRequestHandler):
-    def log_message(self, _format: str, *_args: Any) -> None:
+    def log_message(self, format: str, *_args: Any) -> None:
         pass
 
     def do_GET(self) -> None:
@@ -177,7 +177,6 @@ def __init__(self, client_id: str, client_secret: str, issuer: Issuer):
         self._client_secret = client_secret
         self._issuer = issuer
         self._state = str(uuid.uuid4())
-        self._nonce = str(uuid.uuid4())
 
         self.code_verifier = B64Str(
             base64.urlsafe_b64encode(os.urandom(32)).rstrip(b"=").decode()
@@ -197,7 +196,7 @@ def auth_endpoint(self, redirect_uri: str) -> str:
         # Defensive programming: we don't have a nice way to limit the
         # lifetime of the OAuth session here, so we use the internal
         # "poison" flag to check if we're attempting to reuse it in a way
-        # that would compromise the flow's security (i.e. nonce reuse).
+        # that would compromise the flow's security (i.e. state reuse).
         if self.__poison:
             raise IdentityError("internal error: OAuth endpoint misuse")
         else:
@@ -216,7 +215,6 @@ def _auth_params(self, redirect_uri: str) -> dict[str, Any]:
             "code_challenge": self.code_challenge,
             "code_challenge_method": "S256",
             "state": self._state,
-            "nonce": self._nonce,
         }
 
 
diff --git a/sigstore/_internal/sct.py b/sigstore/_internal/sct.py
index f8f347692..6af98b806 100644
--- a/sigstore/_internal/sct.py
+++ b/sigstore/_internal/sct.py
@@ -211,7 +211,7 @@ def verify_sct(
                 f"SCT verify: Invalid issuer pubkey basicConstraint (not a CA): {issuer_pubkey}"
             )
 
-        if not isinstance(issuer_pubkey, (rsa.RSAPublicKey, ec.EllipticCurvePublicKey)):
+        if not isinstance(issuer_pubkey, rsa.RSAPublicKey | ec.EllipticCurvePublicKey):
             raise VerificationError(
                 f"SCT verify: invalid issuer pubkey format (not ECDSA or RSA): {issuer_pubkey}"
             )
diff --git a/sigstore/models.py b/sigstore/models.py
index 619c4591e..2237b772e 100644
--- a/sigstore/models.py
+++ b/sigstore/models.py
@@ -128,7 +128,7 @@ def _from_v1_response(cls, dict_: dict[str, Any]) -> TransparencyLogEntry:
         body_entry: ProposedEntry = TypeAdapter(ProposedEntry).validate_json(
             base64.b64decode(entry["body"])
         )
-        if not isinstance(body_entry, (Hashedrekord, Dsse)):
+        if not isinstance(body_entry, Hashedrekord | Dsse):
             raise InvalidBundle("log entry is not of expected type")
 
         raw_inclusion_proof = entry["verification"]["inclusionProof"]