Skip to content

Commit

Permalink
Merge pull request #340 from lichess-org/revoke-tokens
Browse files Browse the repository at this point in the history
Add token security + revoking section
fitztrev authored May 11, 2024
2 parents e2ad137 + c6ca26e commit 7bb9f06
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions doc/specs/lichess-api.yaml
Original file line number Diff line number Diff line change
@@ -58,6 +58,14 @@ info:
- `curl https://lichess.org/api/account -H "Authorization: Bearer {token}"`
- [NodeJS example](https://github.com/lichess-org/api/tree/master/example/oauth-personal-token)
### Token Security
- Keep your tokens secret. Do not share them in public repositories or public forums.
- Your tokens can be used to make your account perform arbitrary actions (within the limits of the tokens' scope). You remain responsible for all activities on your account.
- Do not hardcode tokens in your application's code. Use environment variables or a secure storage and ensure they are not shipped/exposed to users. Be especially careful that they are not included in frontend bundles or apps that are shipped to users.
- If you suspect a token has been compromised, revoke it immediately.
To see your active tokens or revoke them, see [your Personal API access tokens](https://lichess.org/account/oauth/token).
### Authorization Code Flow with PKCE
The authorization code flow with PKCE allows your users to **login with Lichess**.
Lichess supports unregistered and public clients (no client authentication, choose any unique client id).

0 comments on commit 7bb9f06

Please sign in to comment.