I’ve been working on a project for a friend, making him a tool to help him manage his BigCommerce store. I had previously made the tool for Shopify, but he ended up needing to switch providers. I’ve run into a few things with BigCommerce’s API that I have found either odd or concerning. The recommended method of authentication is OAuth, three-legged OAuth2 to be specific. The thing is, they basically shortcut one of the legs.