Hi,
I have made an integration where the user enters their username/password to a service.
With this username/password i can get an AccessToken from an API that will be used to connect to the service i want to get data from.
Everything works today, but im wondering how to do this the safest way. I can not run my API call in the frontend becouse i also have a private bearer token that needs to be sent with the auth request.
My solution today is to send username/password to an backend api workflow that stores the accessToken to my database. I use API Connector to connect to my own backend api workflow to make sure the request happens instant, and that i can get an “OK” og “Failed” response in return.
It doesn`t feel safe to pass a password this way. Any thoughts?
Yep, this is the ideal way. Just make sure your backend workflow is set up correctly though. There shouldn’t be any unauth access to that if a potential hacker gets your endpoint. Also, the privacy rules for the accessToken field
Base64 has the virtue to preserve any string transformation while being passed.
When it comes to security, base64 encoding doesn’t change anything vs clear text…
Do you have any suggestions to how it should be handled?
I know many apis send clientkey/client secret as parameters to get an accessToken, and that’s exactly what i do here. The only reason why I’m not so comfortable is because with this service you have to use your username and password to get the access token in return.