That’s another helpful suggestion: I could avoid node.js and see how to make a very primitive but sufficient web server for this purpose listening on localhost. At the moment, I believe that something along those lines as described by you could very well be the best solution. I’m not an OAuth expert nor did I use it before, but I read the O’Reilly book on it some time ago, and in there is the strong recommendation that one should not bring his own native login forms and even embedded browser components are a little bit suspicious, as the idea is to teach the user that he should only use his normal browser as it is supposed to be independent from my application code, but browsers running as separate instances could potentially expose their data to other applications by now, so this concept is fading a little bit and of course doesn’t help in a scenario of a fully compromized machine. Anyway, I want to do my best and are thankful for advice from people who deal with such issues regularly. And yes, I attempted OAuth Implicit Code Flow (User Access Tokens), which has its own issues security-wise according to what I’ve read, but it’s more or less the same like the streaming API key. At least, it’s still sandardized OAuth2, keys are at least revokable on the server-side and there are separate keys per application.