I’ve an account for the genius.com API, and they gave me a Client ID and Client Secret, but also let me generate a JWT, which my backend now sends as Bearer token for requests.
I’m not using the full powers of the API, I only want to have access to their music data, but I think theoretically I could have a website where users can login with their genius accounts, my backend would use the Client ID and Client Secret to generate a JWT for the user, which would authorise them to make POST and PUT requests to the API via my webpage.
I haven’t really thought about this, might be totally wrong. But yeah @farisp you definitely want to hide that token just as you’d hide an API key.