question

Matt Kruse avatar image
Matt Kruse asked

What are the restrictions on accessToken?

When using Account Linking: 1) Is there a limit to the length of the accessToken? 2) How secure is it? Can I embed an email address directly into the token, for example? Since it will never be seen by anyone except Alexa, and it will be transmitted over HTTPS (or via Lambda), are there any security concerns with embedding private data in the accessToken itself?
alexa skills kitsubmission testing certification
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

justin avatar image
justin answered
Hi Matt, Sorry for the delay! 1. Internally, there is no length restriction, but a string that is too long will likely be problematic for some browsers, which may cause a truncated token to be passed through internally. See http://stackoverflow.com/questions/1571753/maximum-length-of-url-fragments-hash 2. Developers should definitely not embed private data (like email addresses) in access tokens. Tokens should be non-guessable, and there should not be any sensitive data embedded into the token.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.