Comment by palata

I have seen implementations that preserve privacy. But fundamentally it means that an adult could give a token to a kid, as you say. But how bad is that? We don't need a perfect system, we just need it to be good enough that it prevents most kids from accessing stuff they shouldn't access. Some kids will always find a way anyway.

A simple solution to "generate infinite token and hands them out via a rest request" could be one of:

* Rate-limit the token generation. Nobody needs thousands per day, right?

* Make it illegal to distribute tokens. The server sees if you request an abnormal amount of tokens, and... it knows who you are. Not too hard to investigate.

* Make "honeypots" that scare the children when they try to access/buy the token.

I don't think it makes the concept completely useless.