API authentication feedback


#1

A little feedback on the API’s authentication.

  1. I would like to be able to generate personal access tokens as an alternative to the full-blown application registration flow plus OAuth authorization flow. My use-case is only for connecting my own personal software to ony my own Patreon campaign. For this use-case it saves me a lot of time and work to just click a button and get a working OAuth token. Figured out this is what the “Creator Access Token” is supposed to be.

  2. Patreon should show the OAuth token to us once, then hash it and never show it to us again. This would allow you to keep secrets out of your database, so any possible database compromise does not lead to OAuth tokens being compromised with it. Basically, treat client IDs and OAuth tokens like passwords.


#2

Hey @SirCmpwn!

Yes this is a great idea and we definitely want to move towards treating access tokens more like secrets. Leaking tokens is something we take super seriously and we’re trying to hard to keep this data safe. Please let us know if you have any other dope ideas!