Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Deekshith's avatar

Secured storage of client secret and client id to communicate between mobile app and laravel api

we are working on android where the API is given using laravel. this app is just an information site with article categories so here there is no user authentication or registration.

But to protect the public API where particular API should be accessible from app only I have used laravel passport Client Credentials Grant Tokens.

I have created a client using the below command,

php artisan passport:client --client

Now what I am doing is whenever the user first opens the app I am calling this API to generate the token,

https://www.example.com/oauth/token

Post Json:

{
    "grant_type": "client_credentials",
    "client_id": "3",
    "scope": "*",
    "client_secret": "client_id_3_secret_goes_here"
}

Now my concern is where to store this client id and client_secret? shall I hard code client_id and client_secet in android code so that every time user first opens the app will call this API using hardcoded secret and client_id?

what if I change the client_secret in the future I should edit the android code as well to make changes.. Please help me out with a possible solution for this.

0 likes
2 replies
Deekshith's avatar

Thank you for the reply. yes, will check this. And also please let me know what the will be a procedure if I change the client_credentials later. do I need to build the android app and update it again?

Please or to participate in this conversation.