@mjg59 ooh nice write up, thanks.
Those are all (by design) browser session based. Do you know of anything that would be appropriate to use in a cli i am responsible for? The workflow is often a short burst of requests (3-10?) then nothing for hours or days.
On-device malware is what I’m trying to defend against, and the current approach i am going for is to store our beater token in the system keychain, which at least on macos means malware testing to access it would show a the user a password prompt. But we know that is imperfect protection.