Misusing OAuth 2.0 Client Credentials in Public Apps — A Security Breakdown

Public-facing apps like React, Flutter, or plain JavaScript often make a critical OAuth mistake: they use the Client Credentials Grant to access protected APIs directly from the frontend.

This breaks core OAuth security assumptions.

In this post, I e…


This content originally appeared on DEV Community and was authored by Leon Fazliu

Public-facing apps like React, Flutter, or plain JavaScript often make a critical OAuth mistake: they use the Client Credentials Grant to access protected APIs directly from the frontend.

This breaks core OAuth security assumptions.

In this post, I explain:

  • What the Client Credentials Grant was designed for
  • Why it’s dangerous to use in public apps
  • Real-world risks like token leakage and backend impersonation
  • What to use instead (like PKCE or backend proxies)

The problem is more common than it should be — and it often goes unnoticed until something breaks.

You can read the full breakdown here:

https://blog.sentry.security/oauth-2-0-client-credentials-misuse-in-public-apps/

If you've encountered this or seen similar misuses, feel free to share or discuss below.


This content originally appeared on DEV Community and was authored by Leon Fazliu


Print Share Comment Cite Upload Translate Updates
APA

Leon Fazliu | Sciencx (2025-07-02T10:17:48+00:00) Misusing OAuth 2.0 Client Credentials in Public Apps — A Security Breakdown. Retrieved from https://www.scien.cx/2025/07/02/misusing-oauth-2-0-client-credentials-in-public-apps-a-security-breakdown/

MLA
" » Misusing OAuth 2.0 Client Credentials in Public Apps — A Security Breakdown." Leon Fazliu | Sciencx - Wednesday July 2, 2025, https://www.scien.cx/2025/07/02/misusing-oauth-2-0-client-credentials-in-public-apps-a-security-breakdown/
HARVARD
Leon Fazliu | Sciencx Wednesday July 2, 2025 » Misusing OAuth 2.0 Client Credentials in Public Apps — A Security Breakdown., viewed ,<https://www.scien.cx/2025/07/02/misusing-oauth-2-0-client-credentials-in-public-apps-a-security-breakdown/>
VANCOUVER
Leon Fazliu | Sciencx - » Misusing OAuth 2.0 Client Credentials in Public Apps — A Security Breakdown. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2025/07/02/misusing-oauth-2-0-client-credentials-in-public-apps-a-security-breakdown/
CHICAGO
" » Misusing OAuth 2.0 Client Credentials in Public Apps — A Security Breakdown." Leon Fazliu | Sciencx - Accessed . https://www.scien.cx/2025/07/02/misusing-oauth-2-0-client-credentials-in-public-apps-a-security-breakdown/
IEEE
" » Misusing OAuth 2.0 Client Credentials in Public Apps — A Security Breakdown." Leon Fazliu | Sciencx [Online]. Available: https://www.scien.cx/2025/07/02/misusing-oauth-2-0-client-credentials-in-public-apps-a-security-breakdown/. [Accessed: ]
rf:citation
» Misusing OAuth 2.0 Client Credentials in Public Apps — A Security Breakdown | Leon Fazliu | Sciencx | https://www.scien.cx/2025/07/02/misusing-oauth-2-0-client-credentials-in-public-apps-a-security-breakdown/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.