|
|
|
|
|
|
by jeroenhd
1186 days ago
|
|
|
GET should be idempotent, so if the request is repeated by the browser/a proxy/a user hitting F5, it should not matter. This is why some websites with inadequate password reset email links don't work if your company/ISP/email provider implements link scanning, as the automated service already clicked the super secret one-time link (and if the website is following the spec, that should be totally fine). As long as the GET requests returns the same or equivalent API data every time they make total sense. For an access token, that's perfectly fine, assuming they don't generate a new token with every request of course. |
|
|