I’ve been thinking how do we secure and protect our API as service provider like Onfido or Stripe.
For this example, imagine we’re service provider like Onfido. Short intro about Onfido, they provide kyc solution for businesses to verify people’s identity by using ID document, selfie photo, etc.
In order for our customer to use our service(API), developer need to register a user account and create an application from our dashboard, we will then provide the Client ID & Client Secret for their application.
Now we have Customer ABC and Customer XYZ. In theory, they’re our client and also the resource owner. We’re providing SDK for the clients so they can embed the UI in their web application or native mobile app. Or they can create their own UI and just call our API.
Based on what I read from the documentation, client secret is not recommended to store in native app or SPA. In this case, how can they proceed client credential flow without any backend server?
Or is it client credential flow is not even needed here? Without client credential flow, how do we protect our API from using by anonymous application?
By the way…Merry Christmas!