#ZegnatOh I get that less external calls are good for implementors, aaronpk. I'm only saying that (unless you police when logins are allowed) fear for the token endpoint being compromised is not a reason as the same applies to authorization endpoints.