Grant Types
Choosing a Grant Type
When creating a Developer App with Manifold, you are presented with three Grant Types to choose from. So how do you decide? For the most part, Token Grant will be the quickest and easiest way to set up your application. However, the other types are worth considering too. Here is some info about each.
It is important to note that the Manifold Widgets and Data APIs do not grant an application to execute blockchain transactions on behalf of a wallet. Each blockchain transaction will always need to be executed by the user.
Signature Grant
Provides access to Manifold's read and write Data Client. Also provides access to Manifold's server-to-server APIs.
Ease of Use
Easy
Revokable Access Tokens
Yes
Write API Access
No
Server-to-Server API Access
Read and Event Notification Only
This is the recommend option if you intend to use both read and write APIs, as well as do server-to-server API calls and authentication. The client is given a one-time use code, which can be exchanged for an access token. All of this is done client-side and built into our widget, so it is as simple as the Token Grant type. In addition, you have the ability to revoke access tokens, which lets you have the peace of mind in using the auth flow exclusively on the frontend.
Security Considerations
The Signature Grant Types is subject to man-in-the-middle attacks. If someone is snooping on your network, they may intercept the access token and call the read and write APIs as the user. In this situation, application private information for that specific user may be compromised.
See Server-Side Session Authentication - Signature Grant Type for more details.
Token Grant
Provides read-only access to publicly available data offered by the Data Client.
Ease of Use
Easy
Revokable Access Tokens
No
Write API Access
No
Server-to-Server API Access
No
This is the best option if you want to get started quickly and only have a frontend website and only want the ability to read public information associated with the wallet and trigger transaction signatures.
Security Considerations
The downside to the Token Grant Type is that the access token is passed to the client directly, hence subject to man-in-the-middle attacks. If someone is snooping on your network, they may intercept the access token and call the read APIs as the user. However, this data is publicly available anyways, so there is no privacy risk here.
Authorization Code Grant
PREREQUISITE: You need to operate your own backend server to use this grant type.
Provides access to Manifold's read and write Data APIs. Also provides access to Manifold's server-to-server APIs.
Ease of Use
Difficult
Revokable Access Tokens
Yes
Write API Access
Yes
Server-to-Server API Access
Yes
This is the most secure grant type, and provides access to read and write APIs, as well as server-to-server read and write API's. This Grant Type returns an authorization code to your client, which is passed to your server to exchange for an access token. This access token can then be stored on your backend (most secure) or passed back to your client (less secure).
Server Stored Access Tokens (most secure)
If you elect to store the access token on your backend server, any time you want to make a query to one of our data APIs, you will pass the query from the client to your own server before making the request to our server. This way the access token is never revealed client-side, and all API calls must go through your own server. While this gives more security, there is a lot more overhead in managing both a frontend and backend. We suggest this option for more power users who want the comfort of a higher level of security.
See Server-Side Session Authentication - Authorization Code Grant for more details.
Last updated