Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
What is the best way to handle the client_secret in a first-party web or mobile application? Right now I have an API built in Laravel using Passport and a few first party consumers of this API. It is said to be insecure to leak or pass the client_secret in a web/mobile application but I don't know how you can request a password grant without passing the client_secret to /oauth/token. The only other way I can think of doing this would be to do a server-side curl request for the web (like a proxy) but this won't work in a mobile environment.
Is it safe to pass the client_secret to /oauth/client from a client-side call (via Axios)?
Have a look at this blog for a general idea on securing the passport secrets
http://esbenp.github.io/2017/03/19/modern-rest-api-laravel-part-4/
What I would do is add a middleware that injects your secrets into the request so they are never stored client side.
Please or to participate in this conversation.