When using Account Linking: 1) Is there a limit to the length of the accessToken? 2) How secure is it? Can I embed an email address directly into the token, for example? Since it will never be seen by anyone except Alexa, and it will be transmitted over HTTPS (or via Lambda), are there any security concerns with embedding private data in the accessToken itself?
Hi Matt, Sorry for the delay! 1. Internally, there is no length restriction, but a string that is too long will likely be problematic for some browsers, which may cause a truncated token to be passed through internally. See
http://stackoverflow.com/questions/1571753/maximum-length-of-url-fragments-hash 2. Developers should definitely not embed private data (like email addresses) in access tokens. Tokens should be non-guessable, and there should not be any sensitive data embedded into the token.