oAuth without client secret for single page app (SPA) and command line tools
SOLVE
Hi Hubspotters,
oauth.com recommends not to use a client secret when writing a single page application or clients that the user can run locally such as a command line interface. This is documented here: https://www.oauth.com/oauth2-servers/single-page-apps/ . But I can't find an option to deactive the client secret in Hubspot.
How do you authenticate such applications via oauth? Using the API key seems not to be a solution since it doesn't allow to track who accesses the data and also not to limit the application's access scope.
oAuth without client secret for single page app (SPA) and command line tools
SOLVE
Hey - so I'm pretty sure this isn't going to be possible without an external service/server. Hubspot uses the Authorization code flow - this requires a client secret to exchange the authorisation code for an access token and you shouldn't embed this in the client.
A potential solution for this is to use Hubspot Enteprise - this supports authentication and provides you with the ability to create serverless functions.
oAuth without client secret for single page app (SPA) and command line tools
SOLVE
Thank you for the redirect to @kierana . I can't say right now what I am building but it is a terminal application and potentially a single page app. Both have no backend that could store a secret unknown to the user.
oAuth without client secret for single page app (SPA) and command line tools
SOLVE
Hey - so I'm pretty sure this isn't going to be possible without an external service/server. Hubspot uses the Authorization code flow - this requires a client secret to exchange the authorisation code for an access token and you shouldn't embed this in the client.
A potential solution for this is to use Hubspot Enteprise - this supports authentication and provides you with the ability to create serverless functions.