What I’m not clear on is whether it’s safe to expose the bearerToken, it says
You can get the bearer token by using the <your_api_provider>.bearerToken and pass it to the native SDK that you are using, such as the Spotify web API wrapper or the Octokit libraries from GitHub.
So I just return the bearer token along with the status from my netlify function for my front end to use – is that ok or will people be able to get all up in my spotify account? Thanks!
Thank you for your question and being extra cautious with security and the web! These network requests are being exchanged using HTTPS, so you can rest assured knowing that the data, like your bearer token, is encrypted.
One thing you can check to be sure, if the front-end is making requests to Spotify with some authorization headers, you don’t need to worry as there’s nothing you can do to prevent it.
Sorry to hear that. I would suggest asking Spotify the best way to handle the exposed bearerToken in this case then. Other folks with a similar set up may have encountered something similar.
Yeah so as you can see, the token is exposed right in the network tab, so anyone could look it up and use it.
This is why @hillary suggested to ask Spotify regarding their recommendations on how to keep the bearer token safe. We can advise on how to get the token from our integrations, which is something you’ve already managed to do. As to how to integrate it with the library and keeping it secure, we can’t say as each library might be needing it differently.
An alternative would be to use Netlify Functions. You can try running the library inside Netlify Functions and return a JSON data to the front end. This would at least help you keep the token hidden from everyone but in this case, the bearer token would have to be embedded as an environment variable in Netlify UI. So, this would probably not be the right way to go forward.
I was trying to avoid building out a fixed api with functions, but you’re right I think it’s the only way to keep the token private. Thanks all for your advice, I’ve done just that: