I know what X-Plex-Token is and how to get it; my question is: how is it secure?
Usually, using a token as a query parameter is considered insecure if the token is used more than once. My question is: how is Plex still secure if the API reuses the same token?
It’s only insecure if you expose it to the user. The creation and claiming happen through secured channels and ideally your app should not be storing or passing this in any public way. If you’re using cookies to store it, that’s bad. If you’re passing it with user-facing form data, that’s also bad.
Otherwise the token remains a secret between your app and the API.
