Open
Description
Any developer who wishes to implement their own client, needs to host the API themselves.
For enhanced security, and identification, the cookies are set with Same-Site:Strict policy. The frontend must the same domain name of the backend. (deploy on a different sub-domain).
In future if we wish to support other developers (non-official clients), to use the API hosted by us. We will follow a streamlined approach of
- issuing API keys and secrets to developers, for specific set of scopes requested by them.
- allowing the developer to register their domain
- the list of allowed domains will be set in our db, and our CORS policy will be defined on the fly using a callback function
- creating our own oauth consent screens, for scopes requested by other developers. So the external developer's code, can access an user's resource only with their authorization.
Read more about cors same site options.