Hello, I am not sure this was mentioned in the issue, there’s the doorkeeper implementation in Spree here: Install doorkeeper for OAuth2 in API V2 · spree/spree@57944f1 · GitHub
The spike helped clarify what library we should use: doorkeeper.
But I think the bottom line is still the same: OFN in itself doesnt need oauth right now but if anyone implements OAuth for DFC we should use that sinergy and get oauth implemented across OFN. It should be straight forward to apply oauth across the full app, not just DFC.
Do we have anyone willing (or any budget) to implement oauth for dfc? If we do, we should spec that work so that it includes OFN. If we dont, “Path the First” for the win 
I am not in favor of improving the tokens solution we have. Tokens have quite a few security vulnerabilities compared to oauth, so long term, I think we should go oauth. Oauth is not that complicated after you have it implemented and a nice guide on how to use it from a API user perspective.