Gregory's ServerI'm trying to think of an OAuth API that dishes out tokens which effectively let you _spend money on behalf of your users_ and I can't think of any - OAuth is great for "grant this app access to data that I want to share", but "spend money on my behalf" is a whole other ball game
|
6 comments
 Mike Taylor on Twitter pointed out that advertising apps in Google/Facebook world often use OAuth to gain the ability to spend advertising money on behalf of users without getting into trouble - I've added that counter-example as a note to my blog post here: https://simonwillison.net/2024/Aug/24/oauth-llms/  @simon IMO this would work if and only if the user had to explicitly input a dollar value to grant. @simon Both Azure APIs and Microsoft Graph use OAuth2 JWT tokens to enable a user to do things that cost money, but in both cases the token needs to be issued by Microsoft's identity provider. It might be possible to use a Federated Identity to incur those costs too, but there plenty of controls in place for the subscription owner. |
I guess there's a version of this that could work: it's OAuth but users get to set a spending limit of e.g. $1 (maybe with the authenticating app suggesting what that limit should be)