From d2f8854c66c62fbc331db4e10a2f391c4b055275 Mon Sep 17 00:00:00 2001
From: Sam Gillingham <gillingham.sam@gmail.com>
Date: Wed, 10 Sep 2025 12:50:20 +1000
Subject: [PATCH 1/3] section on security considerations

---
 login.md      | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 quickstart.md |  6 ++---
 2 files changed, 66 insertions(+), 4 deletions(-)

diff --git a/login.md b/login.md
index 2fd6573..8aeed34 100644
--- a/login.md
+++ b/login.md
@@ -1,3 +1,65 @@
 # Login API
 
-See the [Quick start](quickstart.md) for login instructions.
+See the [Quick start](quickstart.md) for more information.
+
+This document provides linux bash commands to demonstrate how to: 
+- Use the credentials we supply you to get an access token
+
+We assume: 
+- Linux terminal 
+- The jq and curl programs are installed 
+
+You only need to get an access token once every 24 hours.
+Use the access token for all subsequent requests within 24 hours.
+When the access token expires, the APIs respond with a message indicating such.
+For example:
+
+```json
+{"message":"The incoming token has expired"}
+```
+
+Use this as a trigger to request a new access token.
+
+Important: for security, do not hard-code your credentials into
+scripts, which might leak from code repositories. 
+
+Below is an example of obtaining an access token for calling the Cibolabs API.
+
+The example assumes you’ve set two environment variables,
+CIBO_CLIENT_ID and CIBO_CLIENT_SECRET, in your shell session. 
+
+```bash 
+# Create a base64 encoded version of your client ID and secret 
+
+CREDENTIALS=$(printf "%s:%s" "$CIBO_CLIENT_ID" "$CIBO_CLIENT_SECRET" | base64 -w 0)
+
+# Exchange your credentials for an access token  
+
+TOKEN=$(curl -s -X POST \ 
+    -H "Content-Type: application/x-www-form-urlencoded" \ 
+    -H "Authorization: Basic ${CREDENTIALS}" \ 
+    -d "grant_type=client_credentials" \ 
+    "https://login.cibolabs.com/oauth2/token" \
+    | jq -r '.access_token') 
+
+``` 
+
+If successful, the `TOKEN` variable holds the access token.
+
+# Security Considerations
+
+Do not allow your CIBO_CLIENT_ID and CIBO_CLIENT_SECRET values to be accessible on the public internet.
+Once these leak attackers will be able to use these values to make calls to the Cibolabs
+API at your expense. You will be liable for charges related to API calls by anyone with these values.
+
+In particular:
+- Do not place these within Javascript or HTML or any other file transmitted to the user's browser. Users
+will be able to retrieve these values by viewing the source code of your site. This access token should
+only be obtained by your server and then transmitted to the browser. Since an access token expires the 
+likelihood of unauthorised access is low.
+- Keep the values of CIBO_CLIENT_ID and CIBO_CLIENT_SECRET private to your server
+- If keeping the values of CIBO_CLIENT_ID and CIBO_CLIENT_SECRET in a source control file please
+ensure that your source control is private and access is only possible by authorised people. MFA
+should be enabled on your source control as an extra level of security
+
+
diff --git a/quickstart.md b/quickstart.md
index 58ef9d8..a3222a7 100644
--- a/quickstart.md
+++ b/quickstart.md
@@ -24,12 +24,12 @@ For example:
 
 Use this as a trigger to request a new access token.
 
-Important: for security, do not hard-code your credentials into
-scripts, which might leak from code repositories. 
-
 The example assumes you’ve set two environment variables,
 CIBO_CLIENT_ID and CIBO_CLIENT_SECRET, in your shell session. 
 
+Please see the section on [Security Considerations](login.md#Security Considerations) 
+on keeping these values secure. 
+
 
 ```bash 
 # Create a base64 encoded version of your client ID and secret 

From 2ed29507dc997bb07289d345c04dae32550b3735 Mon Sep 17 00:00:00 2001
From: Sam Gillingham <gillingham.sam@gmail.com>
Date: Wed, 10 Sep 2025 12:51:55 +1000
Subject: [PATCH 2/3] fix link

---
 quickstart.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/quickstart.md b/quickstart.md
index a3222a7..3057834 100644
--- a/quickstart.md
+++ b/quickstart.md
@@ -27,7 +27,7 @@ Use this as a trigger to request a new access token.
 The example assumes you’ve set two environment variables,
 CIBO_CLIENT_ID and CIBO_CLIENT_SECRET, in your shell session. 
 
-Please see the section on [Security Considerations](login.md#Security Considerations) 
+Please see the section on [Security Considerations](login.md#security-considerations) 
 on keeping these values secure. 
 
 

From b8f604c8a89e9da4c822bc1061ae3e3ed3a4257b Mon Sep 17 00:00:00 2001
From: Sam Gillingham <gillingham.sam@gmail.com>
Date: Wed, 10 Sep 2025 13:34:56 +1000
Subject: [PATCH 3/3] remove comment about source control

---
 login.md | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/login.md b/login.md
index 8aeed34..9b0e6ba 100644
--- a/login.md
+++ b/login.md
@@ -20,9 +20,6 @@ For example:
 
 Use this as a trigger to request a new access token.
 
-Important: for security, do not hard-code your credentials into
-scripts, which might leak from code repositories. 
-
 Below is an example of obtaining an access token for calling the Cibolabs API.
 
 The example assumes you’ve set two environment variables,