So, if for example, you generated a token for your game app, and I took that token. I could use that very same token on my localhost. Twitch won’t see that the token is trying to be used somewhere else and block the request? I am somewhat familiar with hashing, crsf, and how they are performed.
Right now I am using symmetrical aes encryption, I encrypt the key once with a global secret key, and then I encrypt it again with a private unique key stored in their account. After that, I put it in their cookie. When I need it, I decrypt it twice in reverse order. The keys are pretty large, and as I mentioned I am using https and secure cookies. Am I missing something? It’s a bit harsh on the server, but would this provide an adequate level of protection for my users?