This page lists the requirements and best practices that a Drive API integration must adopt.
Following an "open with" action, applications must check that the user is authorized to read/write the document to which the passed document ID refers. The reason is that the URL that contains the document ID can be forged. Applications not reading file content because they store data locally still must verify a user is authorized before reading or writing file content. Not doing so is insecure.
In the "create new" flow, Google Drive provides your application with an authorization code. This code should be upgraded to an access token as soon as possible before applications take other actions. This ensures that a user is not prompted to authorize your application multiple times in a short period of time for the same file. This should be done even if no API calls needs to be made (e.g. the user never saves the document he created).