I have a web application that will authorize a user with eBay so that I can post items for them. But I want to cap the limit at 50 per account and eBay account. I can easily track how many item posts they performed in my application. But what prevents the user from opening another account with my application and re-authorize with the same eBay account.
So I tried it with my application and my eBay account and looking at the tokens from account1 and account 2 there's literally 5 characters difference at the beginning of the token String (around character 15). Rest of the token is the same.
Is there a way to tell from the token if it's the same account?