Sending developer token to backend, how can I hide sensitive data?

Question

I'm working with Apple Music MusicKit js API.

MusicKit is a front end js library that requires using the developer token in the front end to configure the MusicKit instance and get a user token.

I am attempting to create a web app utilizing MusicKit and I want to hide the developer token from users as it is sensitive data. I've noticed sending the token to the backend or bringing it into the front end from the backend causes it to show up in the network tab.

How can I set up my app in a way that I can utilize the developer token to get a user token but keep it hidden from users?

Answer 1

Use HTTPS: Imagine the envelope is secure, and only the receiver can open it. When you send your token, do it over HTTPS. It's like a secure envelope for your data.

Don't Display in URLs: It's like shouting your secret on the street. Instead of putting the token in the URL, send it in the request body or headers. It's like putting the secret inside the sealed envelope.

Encrypt if Possible: Encrypting is like writing the secret in a secret code. If your backend and frontend support it, encrypt the token so even if someone intercepts it, they can't understand it.

Use Environment Variables: Think of these like hiding your secret in a locked box. Store your token in a secure place on your server, like environment variables. Your code can access it without displaying it in the open.

Answer 2

From the documentation, Apple clearly expects that you'll include the developer token in your HTML or client-side JavaScript, so it's not confidential information. There's no need to hide it. (And you can't hide information you send the user's browser from the user.)

On the page on creating a developer token, note the part about the origin:

• Optional, but recommended for web clients, use the origin claim (origin). Only use this JWT if the origin header of the request matches one of the values in the array. This addition helps prevent unauthorized use of the tokens. For example: "origin":["https://example.com","https://music.example.com"].

(my emphasis)

So when creating your token, include your app's origin(s) (protocol, hostname, and port if it's not 80, e.g. https://example.com) so Apple can reject requests from code running on other origins that tries to use your developer token.