What we still need to do: - [ ] client: don't store tokens/accesscode in localStorage, use secure cookies instead - [ ] server: allow to create tokens with read/write capabilities for specific collections - [ ] client: support multiple tokens/accesscodes - [ ] rethink token vs accesscode model, review where we want/need JWTs - [ ] add one-time login links for use in short URLs, remove accesscodes - [ ] maybe add sessions (after login) with plain old session cookies (less overhead than JWTs in all requests) - [ ] add UI to manage tokens - [ ] rethink if/how we want to derive tokens/JWT from hypercore keys
What we still need to do: