Hide Chat OAuth Token in Client

Hello, I’ve built a simple chat bot for that runs when opened in a web browser and plays the video links of song suggestions submitted by chatters. My issue is that the OAuth token for the bot will end up being exposed in the pages source, allowing for anyone to send messages on the bot’s behalf. I know how to generate a client-id and use that for API calls but I’m not sure if it can be used to safely connect the bot to chat without giving the user full control. Any suggestions would be appreciated. Thanks!

Either have the users listen to chat on their own accounts (implicit auth on the page) or build a back-end of your own to handle the connection to chat.

Well, the bot has other functionalities aside from playing song requests so it will still need to be able to connect to chat from the client and I’m not sure how to safely authenticate the connection without the token being discoverable.

You need to have your app follow the MVC software architecture and put the key in your controller. Your front end view that the user sees should never contain the business logic. It should always pass requests to your back end and allow the back end to do the work, and then send the information asynchronously back to the front end.

1 Like


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.