I want to record some persistent details/history against each device/userId. I don't want to link with a separate account in another system so I want to avoid using account linking. Docs suggest this is fine, see below.
Is it safe to assume that any request which includes the userId must be from the original device?
- Can userId be guessed?
- Can userId be exposed? (Assuming no major AWS intrusion)
- Can requests be intercepted? (I am using AWS Lambda to handle requests)
Related Docs: https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/linking-an-alexa-user-with-a-user-in-your-system
Note that account linking is needed when the skill needs to connect with a system that requires authentication. If yourcustom skill just needs to keep track of a user to save attributes between sessions, you do not need to use account linking. Instead, you can use the userId provided in each request to identify the user. The userId for a given user is generated when the user enables your skill in the Alexa app. Every subsequent request from that user to your skill contains the same userId unless the user disables the skill.
