David Martin Yes, that makes sense. Setting the cookie works for browser sessions but in the case of the config operator we would probably want to use the token in every request. I think there was some difference between a short lived (only 24h) and a long lived token so I wonder if using the token directly from oauth/request would work or if we had to use that to obtain a long lived token first.