Why is API Secret required?

manish84
I am wondering why is API secret required? Let us take a B2B case of say Sensibull. A user logs in from his Sensibull app and hits Kite server login URL containing API Key of Sensibull. Once the user is validated, a request token is sent to Sensibull server and then Sensibull server would use its API secret along with this request token to generate Access Token and send this to the app. Henceforth, the app directly communicates with Kite using this access token.

Now, what if instead of request token, Kite send access token of the user to Sensibull on the redirect URL? In this case, there is no need of API secret.

Similarly for a B2C case, once the user hits the login URL containing API key, why doesn't kite send the Access token directly on the redirect URL? Why is there a 2 step process of first getting request token and then generating access token using api secret. I am sure, there must be a logic for this as it is standard practise. I am only trying to understand the logic behind this. Thanks.
  • sujith
    This is a standard practice like OAuth. Giving out a user's access token in the public URL is not a good practice.
    Usually, in a standard auth mechanism, a user would get a public token after authentication which is again used to get a private access token.
    If a secret doesn't exist then anyone with api_key and user credentials can keep creating sessions like an issuer. Here there is another layer that includes the app secret which only resides at the issuer.
    It is recommended not hardcode app secret in the client-side applications (Ex: mobile app).
Sign In or Register to comment.