I remember one of the reasons access code is in memory. When a code is turned into a token, the code is removed. Thus, the code can only be used once and only once to obtain an access token. This can be mitigated of course by timeouts on the access code. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com