I’m the main author of Ember.SimpleAuth so a quick note from my side: client id/client secret are now supported (see this pull request). HTTP Auth is not supported but if anyone would like to send a pull request I’d be ok with adding it. The main point here is that both client id/client secret as well as HTTP auth don’t really provide additional security. If an attacker can get access to your refresh token they can most likely get access to the client id/client secret or basic auth or whatever as well. The problem is that all this security-relevant stuff needs to be on the client (as it’s used by Ember) and thus can be exposed by an attacker if you a) don’t use (correctly configured) SSL or b) are vulnerable to XSS attacks.