Hi! Thank you for your quick response.
I did read over that page earlier, but maybe I need a clarification…
My use case is setting up the device’s wifi through either a Captive Portal or a browser.
In either scenario, the wifi setup page is an HTML page. Regardless of securing the RPC through HTTP Digest or mutual TLS, a user should be able to get the pass key by inspecting the source, no? An intruder could then set the device into AP mode (our product allows this so that users can change routers), open the Captive Portal, get access to the key, and then have open access to RPC.
Am I misunderstanding something?