Client Credentials Grant - Where to keep client secret in?

I have secured an API with Auth0 and now want to access it using Angular 2 app.

It seems that I need client secret to request for token.

How can I protect the client secret as is used in the client side? Or there a different way to get the token to access my protected API that doesn’t involve using secret?


:wave: @lyubomir.velchev

The Client Credentials Grant scenario you’d be requesting the access token from a Non Interactive Client (a CLI, a daemon, or a Service running on your backend), where you’d ask Auth0 for the token to authentication. If you are using Angular I’d suggest looking at the Angular2 example we have. There is a section on Calling an API. Further reading I would suggestion would include Calling APIs from from Client-side Web Apps which discusses the Implicit Grant.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.