Permanent access tokens - Public?

We were considering making GraphQL API calls on the client side, but because it requires an auth token, I'm curious about security. If we generate a "Access to master" token and use in frontend code, is that a security risk? Can those tokens be public? How do you lock them down if so? Like can you restrict it to a domain?

Hey Jason!

Publicly accessible API keys or Tokens shouldn’t be committed to your Github repo along with all other docs. The usual most common way to hide your Tokens in the front-end is by creating an .env file which is never shown in the repository.

I found this really useful article online that might help you understand this better :wink:

This issue has been closed due to inactivity.