About Client Token
Learn about the AuthN Client Token designed to give limited access to AuthN APIs
You can use AuthN Client Token token at certain AuthN endpoints, including all /v2/client/*
endpoints. The client token doesn't grant full access to AuthN data and could be exposed in the public client application.
It is important to note that using the client token with the AuthN /v2/flow/* APIs currently allows one to build a login form that doesn't require a browser redirect to your application. This, combined with the fact that your client token is easily retrievable from the browser network traffic, could create a vulnerability to phishing attacks. A malicious party could lure your user to their login form and use your client token to interact with the AuthN APIs in your Pangea project, potentially gaining access to the user session.
Under all circumstances, you should educate your users to pay attention to the sites where they provide their credentials. Their actions could be intercepted in an Adversary-in-the-Middle (AiTM) attack, which can bypass all the protections you have implemented in your application.
Was this article helpful?