So, one time passwords are reusable? Are there any limits to how they are used?

I noticed that a “one time password” is actually fully re-usable. There is no limit to how many times it may be used, yes? Curious on any actual limitations when generating them. Thanks.

Also see these related issues on the server repo for more context.

Brought to my attention by the ever beautiful @theCalcaholic

Yes, it’s on purpose. That’s how API tokens generally work. But it would really be great to have more fine-grained permissions…
If you only need it for file access, there’s a neat trick: Just create a password protected link share for a folder and then use

  1. https://your-cloud.url/public.php/webdav as URL
  2. The last part of the share url as user (something like WfygCyjGDewOJaj)
  3. The password your configured for the share as password (unsurprisingly)

and you’ll have an “app token” for a single directory

  1. I use this for example for mounting directories with davfs2 (because I need to put the password in a config file and I don’t want to do that with an app token that can access everything)