Showing results for 
Search instead for 
Did you mean: 

How to keep client secret secure in public app?

Mt. Kenya

I'm working on a browser-based app using the Strava API that I hope to eventually make publicly available. Originally, I was planning on having all of the communication take place in Javascript in the user's browser. However, since the POST that exchanges the auth code for an access token requires the client secret, so far I have needed to hard-code my client secret in the browser-side JS.

This doesn't seem secure, but I'm not sure what the easiest method to secure it is. My first thought was to host a separate API to retrieve access tokens. Once the browser gets an auth code back from Strava, it sends it to the API, and the API talks to Strava to exchange the code for a token, and then sends the token back to the browser.

This seems a little convoluted, and even more so if I would need to implement TLS on my new API to secure that communication channel. Is there another recommended way to keep my client secret secure?



For applications running solely in the browser, the implicit flow is the way to go, but that's not supported by the Strava API AFAIK.

Please have a look at this SO thread about the same question:

Ready, Get Set, Go!

Welcome to the Community - here is your guide to help you get started!

Know how to use Community

Understand Community Settings