The thing that your post completely ignores is the existence of abstractions.
In my post I wrote the steps that a developer using a decent library would take. Let’s compare some ideal Python code:
from my_osm_api import OSM
client = OSM(client_id="XXX", client_secret="XXX")
client.authenticate()
client.nodes.get(523455)
from my_osm_api import OSM
client = OSM(pat="XXX")
client.nodes.get(523455)
Seem sufficiently similar to me (one could even get rid of the client.authenticate() call which would make them essentially identical). (the fact that there is no package for Python that exposes such an interface is annoying, but can be relatively easily fixed)
If one ignores abstractions such as these, one would also have to start to include the steps of “serializing JSON”, “composing HTTP headers”, “do a TCP handshake” in the steps for using a PAT.
I’m genuinely curious what scripts you write in a Bash-like language. Can you post a link?
It would be fully possible to write a osm-get tool that would solve that issue anyway.
One thing that curiously hasn’t been mentioned yet in this thread is the development cost and maintenance burden of adding PATs as an authentication mechanism. Would @NorthCrab, @Matija_Nalis, @TrickyFoxy or anyone else advocating for PATs be ready to write a PR for openstreetmap-website adding this support, as well as promising that they will help maintain that part of the code for the next 5-10 years including handling any security concerns exposed through this new potential attack vector?
My overall take is that I’m happy with OAuth 2, it works for my usecases, and presumable so are the maintainers of openstreetmap-website. I can’t speak for the later (but know the usual concerns maintainers have about additional features), but I personally wouldn’t care much either way so I wouldn’t care much if anyone else wants to add and maintain support for PATs.
Also note that interestingly access tokens are currently set to never expire: openstreetmap-website/config/initializers/doorkeeper.rb at cef7d82c729ffcd1ddd05eabfef8314ce884789d · openstreetmap/openstreetmap-website · GitHub
Seems like a security oversight to me that should be fixed, but while this is the case it would be possible to write a simple webapp that does the OAuth dance and gives you a permanent token that you can use in your scripts as much as you want.