Allow only specific clients to call API rest service

I have SPA calling REST API - i have the client id and the client secret but those can get exposed. how can i verify that a client is only my SPA and not other client that knows my secret key and client id ?
what is the best practice to store the secret key in SPA - client running on browser without server side

A SPA cannot safely call a rest API, except on behalf of the user (i.e. the typical access token you get from an /authorize request where the user consents that the application will access the API on behalf of the user).

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.