This content originally appeared on DEV Community and was authored by Leon Fazliu
Public-facing apps like React, Flutter, or plain JavaScript often make a critical OAuth mistake: they use the Client Credentials Grant to access protected APIs directly from the frontend.
This breaks core OAuth security assumptions.
In this post, I explain:
- What the Client Credentials Grant was designed for
- Why it’s dangerous to use in public apps
- Real-world risks like token leakage and backend impersonation
- What to use instead (like PKCE or backend proxies)
The problem is more common than it should be — and it often goes unnoticed until something breaks.
You can read the full breakdown here:
https://blog.sentry.security/oauth-2-0-client-credentials-misuse-in-public-apps/
If you've encountered this or seen similar misuses, feel free to share or discuss below.
This content originally appeared on DEV Community and was authored by Leon Fazliu

Leon Fazliu | Sciencx (2025-07-02T10:17:48+00:00) Misusing OAuth 2.0 Client Credentials in Public Apps — A Security Breakdown. Retrieved from https://www.scien.cx/2025/07/02/misusing-oauth-2-0-client-credentials-in-public-apps-a-security-breakdown/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.