When creating a Developer App with Manifold, you are presented with three Grant Types to choose from. So how do you decide? For the most part, Token Grant will be the quickest and easiest way to set up your application. However, the other types are worth considering too. Here is some info about each.
This is the recommend option if you intend to use both read and write APIs, as well as do server-to-server API calls and authentication. The client is given a one-time use code, which can be exchanged for an access token. All of this is done client-side and built into our widget, so it is as simple as the Token Grant type. In addition, you have the ability to revoke access tokens, which lets you have the peace of mind in using the auth flow exclusively on the frontend.
The Signature Grant Types is subject to man-in-the-middle attacks. If someone is snooping on your network, they may intercept the access token and call the read and write APIs as the user. In this situation, application private information for that specific user may be compromised.
This is the best option if you want to get started quickly and only have a frontend website and only want the ability to read public information associated with the wallet and trigger transaction signatures.
The downside to the Token Grant Type is that the access token is passed to the client directly, hence subject to man-in-the-middle attacks. If someone is snooping on your network, they may intercept the access token and call the read APIs as the user. However, this data is publicly available anyways, so there is no privacy risk here.
This is the most secure grant type, and provides access to read and write APIs, as well as server-to-server read and write API's. This Grant Type returns an authorization code to your client, which is passed to your server to exchange for an access token. This access token can then be stored on your backend (most secure) or passed back to your client (less secure).
If you elect to store the access token on your backend server, any time you want to make a query to one of our data APIs, you will pass the query from the client to your own server before making the request to our server. This way the access token is never revealed client-side, and all API calls must go through your own server. While this gives more security, there is a lot more overhead in managing both a frontend and backend. We suggest this option for more power users who want the comfort of a higher level of security.