Grant Types

Choosing a Grant Type

When creating a Developer App with Manifold, you are presented with three Grant Types to choose from. So how do you decide? For the most part, Token Grant will be the quickest and easiest way to set up your application. However, the other types are worth considering too. Here is some info about each.
It is important to note that the Manifold Widgets and Data APIs do not grant an application to execute blockchain transactions on behalf of a wallet. Each blockchain transaction will always need to be executed by the user.

Token Grant

Provides read-only access to publicly available data offered by the Manifold Data APIs, such as those available in the NFT Data API.
Ease of Use
Easy
Revokable Access Tokens
No
Write API Access
No
Server-to-Server API Access
No
This is the best option if you want to get started quickly and only have a frontend website and only want the ability to read public information associated with the wallet and trigger transaction signatures.

Security Considerations

The downside to the Token Grant Type is that the access token is passed to the client directly, hence subject to man-in-the-middle attacks. If someone is snooping on your network, they may intercept the access token and call the read APIs as the user. However, this data is publicly available anyways, so there is no privacy risk here.

Authorization Code Grant

PREREQUISITE: You need to operate your own backend server to use this grant type.
Provides access to Manifold's read and write Data APIs. Also provides access to Manifold's server-to-server APIs.
Ease of Use
Difficult
Revokable Access Tokens
Yes
Write API Access
Yes
Server-to-Server API Access
Yes
This is the most secure grant type, and provides access to read and write APIs, as well as server-to-server read and write API's. This Grant Type returns an authorization code to your client, which is passed to your server to exchange for an access token. This access token can then be stored on your backend (most secure) or passed back to your client (less secure).

Server Stored Access Tokens (most secure)

If you elect to store the access token on your backend server, any time you want to make a query to one of our data APIs, you will pass the query from the client to your own server before making the request to our server. This way the access token is never revealed client-side, and all API calls must go through your own server. While this gives more security, there is a lot more overhead in managing both a frontend and backend. We suggest this option for more power users who want the comfort of a higher level of security.

Signature Grant

Provides access to Manifold's read and write Data APIs. Also provides access to Manifold's server-to-server APIs.
Ease of Use
Easy
Revokable Access Tokens
Yes
Write API Access
No
Server-to-Server API Access
Read and Event Notification Only
This is the recommend option if you intend to use both read and write APIs, as well as do server-to-server API calls and authentication. The client is given a one-time use code, which can be exchanged for an access token. All of this is done client-side and built into our widget, so it is as simple as the Token Grant type. In addition, you have the ability to revoke access tokens, which lets you have the peace of mind in using the auth flow exclusively on the frontend.

Security Considerations

Like the Token Grant Type, Signature Grant Types are subject to man-in-the-middle attacks. If someone is snooping on your network, they may intercept the access token and call the read and write APIs as the user. In this situation, application private information for that specific user may be compromised.
Copy link
On this page
Choosing a Grant Type
Token Grant
Authorization Code Grant
Signature Grant