- https://fly.io/blog/api-tokens-a-tedious-survey/
- https://web.archive.org/web/20200507173734/https://latacora.micro.blog/a-childs-garden/
- https://www.vanta.com/guides/the-ultimate-iso-27001-guide-powered-by-vanta-and-aprio
- https://aws.amazon.com/architecture/well-architected/?wa-lens-whitepapers.sort-by=item.additionalFields.sortDate&wa-lens-whitepapers.sort-order=desc
- https://www.unf.edu/~sahuja/cis6302/security.html
- https://en.m.wikipedia.org/wiki/STRIDE_%28security%29
- https://moxie.org/2011/12/13/the-cryptographic-doom-principle.html
- http://wiki.erights.org/wiki/Walnut/Secure_Distributed_Computing
- https://twitter.com/clementd/status/1430426539703914497
-
https://news.ycombinator.com/item?id=28295348
- shitting on random tokens a bit
- https://news.ycombinator.com/item?id=28305254
- https://blog.thea.codes/building-a-stateless-api-proxy/
- https://news.ycombinator.com/item?id=28297763
- https://www.clever-cloud.com/blog/engineering/2021/04/12/introduction-to-biscuit/
- https://blog.fimbault.com/managing-authorization-grants-beyond-oauth-2
- https://neilmadden.blog/2019/01/16/can-you-ever-safely-include-credentials-in-a-url/
- https://www.threatmodelingmanifesto.org/
- https://www.biscuitsec.org/