From 3eadcf448fe6b8d83478bc264dfdbee45583c74a Mon Sep 17 00:00:00 2001
From: Pierre-Yves B <PyvesDev@gmail.com>
Date: Sun, 13 Sep 2020 09:08:32 +0200
Subject: [PATCH] Add guidelines about including tokens in badge URLs (#5522)

* Add guidelines about including tokens in badge URLs

* Tweak wording

Co-authored-by: Caleb Cartwright <calebcartwright@users.noreply.github.com>

Co-authored-by: Caleb Cartwright <calebcartwright@users.noreply.github.com>
---
 CONTRIBUTING.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 3f385663c3..61d8f7d85c 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -107,6 +107,9 @@ There are three places to get help:
 - Badges should not obtain data by scraping web pages - these are likely to break frequently.
   Whereas API publishers are incentivised to maintain a stable platform for their users,
   authors of web pages have no such incentive.
+- Badges may require users to specify a token in the badge URL as long it is scoped only to
+  fetching information and doesn't expose any sensitive information. Generating a token with the
+  correct scope must be clearly documented.
 
 ## Badge URLs