a month ago
This middleman touches your Robinhood password…
> Your Robinhood email/password pass through our server to Robinhood's API
Yikes.
a month ago
Yes, that's correct and documented. Robinhood doesn't offer OAuth for third parties - every unofficial integration (robin_stocks, etc.) uses the same pattern.
We're transparent about this tradeoff. If you're not comfortable with it, don't use it. For those who are, tokens are memory-only and wiped on logout/restart.a month ago
a month ago
> Is this safe? We've designed this with security in mind ... you are trusting our server with temporary access to your brokerage.
It is legitimately hard to tell whether this is innocent satire or actual malware.
a month ago
Neither - it's a real tool with honest documentation. We could have hidden the credential flow like other projects do. Instead we documented exactly how it works so users can make informed decisions.
The "temporary access" framing is accurate: Robinhood returns tokens that expire, we hold them in memory (not disk), and they're wiped on logout or server restart.
a month ago
this is cool - but dangerous
a month ago
Agreed on both counts! The danger is inherent to any unofficial Robinhood integration since they don't provide OAuth. We've tried to be upfront about the tradeoffs in our security model docs.