The latest articles on DEV Community by Leon Fazliu (@leonfazliusentry). https://dev.to/leonfazliusentry https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3316174%2F36b9ae88-2e2b-4b65-a979-76ada9de8436.png https://dev.to/leonfazliusentry en Leon Fazliu Wed, 02 Jul 2025 10:17:48 +0000 https://dev.to/leonfazliusentry/misusing-oauth-20-client-credentials-in-public-apps-a-security-breakdown-1hj2 https://dev.to/leonfazliusentry/misusing-oauth-20-client-credentials-in-public-apps-a-security-breakdown-1hj2 <p>Public-facing apps like React, Flutter, or plain JavaScript often make a critical OAuth mistake: they use the <strong>Client Credentials Grant</strong> to access protected APIs directly from the frontend.</p> <p>This breaks core OAuth security assumptions.</p> <p>In this post, I explain:</p> <ul> <li>What the Client Credentials Grant was designed for</li> <li>Why it’s dangerous to use in public apps</li> <li>Real-world risks like token leakage and backend impersonation</li> <li>What to use instead (like PKCE or backend proxies)</li> </ul> <p>The problem is more common than it should be — and it often goes unnoticed until something breaks.</p> <p>You can read the full breakdown here:<br><br> <strong><a href="https://blog.sentry.security/oauth-2-0-client-credentials-misuse-in-public-apps/" rel="noopener noreferrer">https://blog.sentry.security/oauth-2-0-client-credentials-misuse-in-public-apps/</a></strong></p> <p>If you've encountered this or seen similar misuses, feel free to share or discuss below.</p> cybersecurity security oauth pentest