Section 5: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5
Calling access tokens "shared symmetric secrets" is misleading, because if they are implemented well the authorization server and protected resource do not store a copy of the secret. Instead they store a one-way hash of the token. Or they verify the token cryptographically. Under no circumstances do they need to store a copy. I'd suggest the following language: "Access tokens are bearer authentication tokens or capabilities." Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth