2 min read
The rule
A partner OAuth2 client_secret in front-end code is compromised the instant the page loads — anyone can read the bundle. Every authenticated call goes through your backend, which holds the secret and exchanges it for a token server-side.
Where to store it
- A secrets manager (AWS Secrets Manager, Vault, Doppler) in production.
- An encrypted environment variable read at boot — never a client-exposed one.
- Never in the repo, never in a
VITE_/REACT_APP_variable, never in a Worker script body (use a secret binding).
The safe shape
Browser → your backend → Credicorp partner ring. Your backend adds the Authorization: Bearer header. The browser only ever sees your own API.
Frequently asked questions
What happens if a secret leaks to the browser?
Treat it as compromised immediately and rotate it. Anything shipped to the client is public, so a leaked secret must be revoked at once.
Can Cloudflare Workers or Lambda hold secrets?
Yes — via encrypted secret bindings or a secrets manager read at runtime. Those are server-side execution environments; the browser never sees them.
Related reading

Quickstart: call the public API from the browser safely
The public ring sends permissive CORS headers for read endpoints, so you can call it straight from the…
Read →
Quickstart: Proxy the public API through your backend
A thin backend proxy lets you cache, trim payloads and keep one origin for your front-end — and it is the…
Read →
Quickstart: Understand webhooks: public vs partner
The public ring is request/response only; webhooks live on the authenticated partner ring, because event…
Read →
Quickstart: use the Credicorp public API in Cloudflare Workers
Here is the idiomatic way to call the Credicorp public API from Cloudflare Workers. Fetch the product…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.