Token based auth works like this way
The general concept behind a token-based authentication system is simple. Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource - without using their username and password. Once their token has been obtained, the user can offer the token - which offers access to a specific resource for a time period - to the remote site.
how this could be consider as secure because when server issue token to client then in the middle any hacker can steal that token and appear before a server as a valid client. so tell me how to generate theft proof token ?
discuss how very secured way token can be pass back & forth between server & client so middle man can not hack.