Expose accesstoken to single page client?

[jwallden]

In a SPA that ideally would run without api backend for interacting with Nordigen, would it be ok to expose the access token to the client?

I'm thinking that a standalone script that periodically fetches the access token from Nordigen could be saved in a database where the client could retrieve it (using Pocketbase for database and auth to the app itself) and use it to directly fetch data from Nordigen.

[PVermeer]

I did some research in this myself. It's not immediately clear what the scope of the tokens is in the docs. I quickly found that with the access token is not user scoped so different users could query data from other users with this access token. Later I found that Nordigen also confirms this in their faq/articles. So do not share this with a client!

I would also like to see this for SPA's but that would mean a full OAuth flow (or something similar) from the Nordigen API to make this secure.

https://nordigen.zendesk.com/hc/en-gb/articles/7653149022237-Where-should-I-store-access-tokens-

[jwallden]

I suspected that it would not be a good idea to share the access token. Thanks for the response! I guess I'll either write a backend just for this OR extend Pocketbase to add a route to handle this. The latter means learning a bit of Go, though and the former will involve authentication and whatnot, adding a considerable amount of complexity and work.