Open
Description
moving access_tokens to the http headers mitigated it, but it's still quite easy to leak an access_token, in which case, you lose. Perhaps we should consider using something like OAuth 1 signatures, like twitter: https://developer.twitter.com/en/docs/basics/authentication/guides/creating-a-signature