Security

  • Never expose client_secret in frontend code or logs.
  • Call the launcher only from your backend.
  • Treat the returned URL as single-use and short-lived; fetch a new one per session.
  • Store credentials in a secret manager; rotate on compromise.