Higgsfield AI

Both items flagged in the prior rejection ("plaintext token storage and external login URLs in the browser") have been fixed in this build.

1. Token storage — no longer persisted to disk

Authentication uses the OAuth 2.0 Device Authorization Grant (RFC 8628). The bearer token returned by sign-in is held only in memory for the lifetime of the Minecraft process. It is never written to a file. On exit the token is gone; players sign in once per game launch.

2. No browser auto-launch from the mod

The verification URL is delivered to the player as a Minecraft chat hyperlink. Clicking it routes through vanilla Minecraft's built-in "Open this URL?" confirmation popup — the platform-standard mechanism for opening external URLs with explicit user consent. The mod itself never launches a browser.

3. Threat model

- Bearer tokens never touch the filesystem.
- The mod cannot open URLs without explicit user consent through vanilla Minecraft's confirmation prompt.
- The OAuth client ID embedded in the mod is a *public* device-grant client ID per RFC 8628 §3.4; it carries no secret material.

Happy to provide additional details if needed.