• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

Is it sefe to get access to GET /api/jwt/refresh?userId={userId} method?

Scheduled Pinned Locked Moved Unsolved
Q&A
security jwt
2
2
2.6k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    szwejkc
    last edited by dan 20 May 2020, 23:29

    I can get all refresh tokens for user if I know the user id and API authorization key. Everybody can see authorization key. User id is data that never expires, can be stolen and does not have confidential character. Why do we have this method? I think it is easy way to get token for any user...

    1 Reply Last reply Reply Quote 0
    • D
      dan
      last edited by 21 May 2020, 14:32

      Hiya,

      When you say

      Everybody can see authorization key.

      Who do you mean? Do you mean anyone with access to the FusionAuth admin console? Or some other set of users?

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      1 Reply Last reply Reply Quote 0
      1 out of 2
      • First post
        1/2
        Last post