With the release of vCloud Usage Meter version 9, Broadcom has introduced another access token that does not naturally expire and which is not naturally rotated. This seems to me like an “unauthenticated API” audit finding that is being hastily swept under the rug.

I call this authentication theater. At least this one doesn’t appear in a URL.