From 421748be8a3c3cce35c067363472cb6a6e3b659a Mon Sep 17 00:00:00 2001
From: Trevor Fitzgerald <fitztrev@users.noreply.github.com>
Date: Sat, 11 May 2024 11:45:29 -0400
Subject: [PATCH] Add token security + revoking section

---
 doc/specs/lichess-api.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/doc/specs/lichess-api.yaml b/doc/specs/lichess-api.yaml
index 6caae10..8106f7e 100644
--- a/doc/specs/lichess-api.yaml
+++ b/doc/specs/lichess-api.yaml
@@ -58,6 +58,13 @@ info:
     - `curl https://lichess.org/api/account -H "Authorization: Bearer {token}"`
     - [NodeJS example](https://github.com/lichess-org/api/tree/master/example/oauth-personal-token)
 
+    ### Token Security
+    - Keep your tokens secret. Do not share them in public repositories or public forums.
+    - Do not hardcode tokens in your application. Use environment variables or a secure storage.
+    - If you suspect a token has been compromised, revoke it immediately.
+
+    To see your active tokens or revoke them, see [your Personal API access tokens](https://lichess.org/account/oauth/token).
+
     ### Authorization Code Flow with PKCE
     The authorization code flow with PKCE allows your users to **login with Lichess**.
     Lichess supports unregistered and public clients (no client authentication, choose any unique client id).