Quickstart

Quickstart: Keep partner secrets off the client

The single rule that matters when you graduate from public reads to partner writes: a client secret must never reach the browser. This recipe shows the exact code, uses only the unauthenticated public ring, and links out to the endpoints and the application flow so the reader always has a next step.

2 min read

server-onlySecrets stay backend
vaultNot in source, not in env-bundled JS
proxyBrowser talks to your API

The rule

A partner OAuth2 client_secret in front-end code is compromised the instant the page loads — anyone can read the bundle. Every authenticated call goes through your backend, which holds the secret and exchanges it for a token server-side.

Where to store it

  • A secrets manager (AWS Secrets Manager, Vault, Doppler) in production.
  • An encrypted environment variable read at boot — never a client-exposed one.
  • Never in the repo, never in a VITE_/REACT_APP_ variable, never in a Worker script body (use a secret binding).

The safe shape

Browser → your backend → Credicorp partner ring. Your backend adds the Authorization: Bearer header. The browser only ever sees your own API.

Frequently asked questions

What happens if a secret leaks to the browser?

Treat it as compromised immediately and rotate it. Anything shipped to the client is public, so a leaked secret must be revoked at once.

Can Cloudflare Workers or Lambda hold secrets?

Yes — via encrypted secret bindings or a secrets manager read at runtime. Those are server-side execution environments; the browser never sees them.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.