Start a new topic

app secret not a secret?

Hi I am new to this so please excuse me if this is dumb question. I have been playing with the HTML5 integration when I realised that my appKey and appSecret are exposed in the JavaScript that is loaded by the browser where anybody can read it. I always thought authentication must happen on the server side, lat's say in PHP script. What is the use case for the HTML5 integration?

Hi Daniel, the app secret has very limited privileges, and as such it is safe to include it in a client-side app. Usually, the app secret is then used to register users, and the users' credentials/auth tokens are then used to perform more sensitive operations. For more detail on the three types of authentication and the appropriate uses for each of them, please check http://devcenter.kinvey.com/rest/guides/security#credentials
Hi Gal



that actually explains a lot. Thanks

Login or Signup to post a comment