[weird-eye-issue]

In practice this has not been a problem. It's like saying you can't put unsubscribe links in emails because a bot will click on it... You just simply design the software so that doesn't happen.

Like I said, I've used a similar service that only allows you to view the secret once and I've used it dozens of times with no problems.

[jgalt212]

> you just simply design the software so that doesn't happen.

How do you go about doing that? disregard security service clicks based on IP address blacklists, user agent sniffing, etc?

[weird-eye-issue]

Nope you just use a POST request...

[jgalt212]

How does a legitimate user clicking on a link inside an email generate a POST request?

[weird-eye-issue]

It loads a page which then makes a POST request to an API via JS.

[stophecom]

Thanks again for all the feedback. Short update: I'm using DELETE now, since it feels a bit more accurate. As a side effect, the page is way more responsive. :)

Have fun sharing secrets. C.