We were considering making GraphQL API calls on the client side, but because it requires an auth token, I'm curious about security. If we generate a "Access to master" token and use in frontend code, is that a security risk? Can those tokens be public? How do you lock them down if so? Like can you restrict it to a domain?
Publicly accessible API keys or Tokens shouldn’t be committed to your Github repo along with all other docs. The usual most common way to hide your Tokens in the front-end is by creating an .env file which is never shown in the repository.
I found this really useful article online that might help you understand this better
This issue has been closed due to inactivity.