When are Client Secret and Client ID used?


We're integrating an app to use prismic.io. We've generated an access token to give access to a private repo and can see the follow is generated:

  • Client ID
  • Client Secret
  • Access Token

The "access to master" token can be passed as an option when creating Prismic.client() but this leads to that access token being exposed on subsequent requests.

If this is the suggested way of using the access token, what is Client ID and Client Secret used for? Is it possible for a client to request a token using these instead of exposing the "master" one that is generated?

Any info on this would be great.


Hello @itsupport,

Welcome to the Prismic community.

It is not possible to hide access-token on the client side. Rather, you can have the following options:

  1. Create user-specific access tokens.
  2. Give access to authorized users.
  3. Create a proxy server.

I believe you will have to use the third option for your scenario.

I found this really useful article online that might help you understand this better

Client Id and Client secret are the combinations to authenticate the API. The same task is done with an access token.

Let me know if you have any other doubt.



This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.