Skip to main content
Client credentials act as a powerful service account. Anyone holding them can act on your behalf and access your tenant. Protect them as you would any internal system password.

How to keep your tokens safe

1. Use environment variables and a proper secret store

Never hardcode your client_secret in source files. Use environment variables and a secure secret manager provided by your cloud platform or infrastructure. Rotate secrets if exposure is suspected.

2. Never expose credentials in frontend or untrusted environments

Client credentials must only live on trusted servers. Do not embed them in browser code, mobile apps, desktop apps, or any environment you cannot fully control. Instead, your backend should request access tokens, validate requests, and decide what your users can do.

3. Use a backend proxy to handle all Corti API calls from frontends

When you need a frontend to be able to call the Corti API, it is advised to use a proxy. This means all requests are through a proxy that you control. The proxy injects authentication, performs validation, and enforces user-level rules.
Flowchart showing a client calling a proxy, the proxy adding authentication and forwarding to Corti, then returning the response.Flowchart showing a client calling a proxy, the proxy adding authentication and forwarding to Corti, then returning the response, in dark mode.

How your proxy authenticates and forwards requests between the client and the Corti API.

4. If you must use tokens in special cases, use limited-scope credentials

Some scenarios may require more narrowly scoped access. We are introducing support for limited scope tokens that reduce risk if exposed.