[cratermoon]

How about short-lived access tokens and refresh tokens?

[WirelessGigabit]

Depends on your usecase. On a device it's harder to steal a token, especially on iOS when you put all that stuff in the secured enclave.

Fortify that with certificate pinning on your application and it suddenly becomes REALLY hard to intercept traffic.