Restrictions:
- Access token will be short lived (2 minutes)
- Access token will be one-time use only.
Given a strong random algorithm, would it be considered good practice to generate an opaque access-token by generating 256/512 random bits that is afterwards base64 encoded for transmission?
The bit-size and randomness of the algorithm will of course correlate directly to the entropy and thereby amount of combinations to brute-force within a 2 minute time period.
My own opinion is that the entropy-level is directly defining whether this is a safe approach or not, but I'm wondering if there is a different approach to opaque token generation that I am not considering.