Start a new topic

app secret not a secret?

Hi I am new to this so please excuse me if this is dumb question. I have been playing with the HTML5 integration when I realised that my appKey and appSecret are exposed in the JavaScript that is loaded by the browser where anybody can read it. I always thought authentication must happen on the server side, lat's say in PHP script. What is the use case for the HTML5 integration?

Hi Gal



that actually explains a lot. Thanks

Hi Daniel, the app secret has very limited privileges, and as such it is safe to include it in a client-side app. Usually, the app secret is then used to register users, and the users' credentials/auth tokens are then used to perform more sensitive operations. For more detail on the three types of authentication and the appropriate uses for each of them, please check http://devcenter.kinvey.com/rest/guides/security#credentials
Login or Signup to post a comment