Back to listCategory security Workaround solid Stage build Freshness persistent Scope framework Recurring Yes Buyer Type team
Overly broad scopes and long-lived access tokens
8/10 HighTeams define scopes too broadly (e.g., `full_access`, `admin_all`) and issue access tokens valid for hours or days instead of minutes, dramatically increasing the blast radius if a token is stolen.
Collection History
Query: “What are the most common pain points with OAuth 2.0 for developers in 2025?”3/31/2026
Overly broad scopes and long-lived access tokens are a gift to attackers... A stolen token with `full_access` and a long lifetime is effectively a roaming admin credential... Issue short-lived access tokens and rely on refresh tokens or re-auth for longer sessions.
Created: 3/31/2026Updated: 3/31/2026