top | item 30369598

(no title)

We collect a user's credentials (usernames + passwords) and exchange them immediately for access and refresh tokens. We use the term "credentials" as we've seen it used colloquially - access and refresh tokens certainly fall under the formal definition of credentials, but we usually call them "sensitive tokens" or something similar.

Additionally, in the case of an API like Webull's which accepts a salted MD5 hash of the user's password, the user's plaintext password will never touch our servers.

discuss

No comments yet.