I’m designing Invitation System and want to hear your thoughts about security concerns and best practices.
From email user will be landed to the webapp endpoint:
From this webapp page guest’s client will call an API endpoint to fetch information about the invitation. By strictly following
json:api specification it might be:
Accepting\declining an invitation will require secret token which will be present in invitation email only, but bad people could bruteforce an API endpoint to try to find working ids and get access to the private
inviter resources. Isn’t it a security breach then?