I am currently working on a website, that will work with Twitch api and wonder if I can save the twitch accsess token on the website or not? i want to be sure
My answer to this is long-winded, so bear with me
Going to discuss all of the different tokens here and where they should probably be stored and why.
Client ID - Can be on the webpage. Most projects end up exposing this, especially for authentication.
Client Secret - Should be hidden and never exposed but stored somewhere secure and read but never presented on the web page source. You do not want people using your Secret.
Access Tokens for Users - Should be hidden and never exposed but stored somewhere secure and read but never presented on the web page source. You should also look to store the Refresh Token as tokens expire and may need to be refreshed, depending upon your particular use case.
How to hide? I recommend the MVC design patterns but, any way in which you perform the queries in a backend and only return data to a web page and not perform the query directly, you are good to go. The bottom line is, don’t expose the secret or access tokens to folks.
Hope that helps!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.