Not being able to cache M2M tokens or to rate-limit the generation of these tokens by application is a real show-stopper for us.
We wanted to open up our APIs to partners, but this is impossible in the current state. Within a few minutes, one single partner/customer can block the APIs for everyone else.
The two solutions that I see here, are:
- Put a rate-limit on token generation by application, so that an M2M API consumer can only block himself, if generation is abused.
- Implement a cache for generated tokens so that the API owners can control the generation through token lifetime.
What has been suggested in the past, is to use a Hook/Action to control the token generation or the cache. But this would need something like a redis openly available on the Internet to cache lifetimes, application IDs, etc. This is both a problem for high-availability and for security.
We would gladly pay more, but the upgraded account types only contain more tokens per month. So the problem would remain the same.
this has also been discussed a long time ago here:
This feature would be highly appreciated!