I have a user with “Local access only” turned on. And I’m trying to support these kind of users in my own app (so I’m using APIs). Just found out that in this case:
- you can’t get tokens from outside of the network, but
- if you already have an access token, you can make requests from anywhere you want, local or remote.
Is this how it supposed to be? I mean, access tokens are kinda short-living, so this should not be a big problem, but is violating the setting anyway, access is provided from outside of the network.