7 months ago

Where to store client credentials when using laravel passport on API?

Posted 7 months ago by jd

Working on a project. I have a laravel folder which is the backend API and another folder with a VueJs app.

Usually I would use JWT for auth and may still go back there but wanted to try and use as much of the laravel official packages as possible.

My problem is when looking at online tutorials online they all seem to store the client secret key from laravel passport in the JS. Which would mean if someone did inspect the app.js file it could be seen. I know cors can restrict where the request can be accepted from but just doesn't seem right to have the client secret key store where the public can access it.

Where is the best place to store the client secret key etc? Is there something part of the laravel passport package I am missing when reading the docs?

Please sign in or create an account to participate in this conversation.