This content originally appeared on DEV Community and was authored by Leon Fazliu
Public-facing apps like React, Flutter, or plain JavaScript often make a critical OAuth mistake: they use the Client Credentials Grant to access protected APIs directly from the frontend.
This breaks core OAuth security assumptions.
In this post, I explain:
- What the Client Credentials Grant was designed for
- Why it’s dangerous to use in public apps
- Real-world risks like token leakage and backend impersonation
- What to use instead (like PKCE or backend proxies)
The problem is more common than it should be — and it often goes unnoticed until something breaks.
You can read the full breakdown here:
https://blog.sentry.security/oauth-2-0-client-credentials-misuse-in-public-apps/
If you’ve encountered this or seen similar misuses, feel free to share or discuss below.
This content originally appeared on DEV Community and was authored by Leon Fazliu