FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Is it sefe to get access to GET /api/jwt/refresh?userId={userId} method?

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    security jwt
    2
    2
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      szwejkc
      last edited by dan

      I can get all refresh tokens for user if I know the user id and API authorization key. Everybody can see authorization key. User id is data that never expires, can be stolen and does not have confidential character. Why do we have this method? I think it is easy way to get token for any user...

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        Hiya,

        When you say

        Everybody can see authorization key.

        Who do you mean? Do you mean anyone with access to the FusionAuth admin console? Or some other set of users?

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post