Skip to main content
Building on Fanvue means handling other people’s accounts and data. These are the practices that keep that safe. They are specific to how the Fanvue API works (OAuth 2.0, scoped tokens, and signed webhooks), not generic web security.

Protect your client secret

Your Client Secret is the credential that lets your app exchange authorization codes for access tokens. Treat it like a password.
Never put the Client Secret in client-side code, a browser, a mobile app binary, or a public repo. It belongs only on your server.
  • It is shown once, at creation. Store it in a secrets manager or environment variable, never in source control.
  • Rotating it is a breaking change (the old secret stops working), so plan a brief cutover. See managing your client secret.
  • Rotate immediately if you suspect it has leaked.

Use OAuth, do not roll your own

Fanvue handles authentication for you through OAuth 2.0 with PKCE (a proof step that stops an intercepted authorization code from being reused). You never see or store a user’s Fanvue password. Do not build your own login against Fanvue; use the flow in the Authentication guide.

Request the least scope you need

Scopes are the specific permissions a user grants your app. Request only the ones your features require: a read-only dashboard has no business asking for write:* scopes. Narrow scopes limit the damage if a token is ever compromised, and they make your consent screen easier for users to trust. See Scopes.

Handle tokens carefully

  • Keep access tokens and refresh tokens server-side. Do not expose them to the browser.
  • Access tokens are short-lived (about an hour). Refresh them with the refresh token rather than sending the user back through login.
  • Store tokens encrypted at rest, scoped to the user they belong to.

Verify every webhook

Webhook requests are signed. Before you act on one, confirm it genuinely came from Fanvue by checking the X-Fanvue-Signature header. Otherwise anyone who discovers your endpoint URL could send you fake events. See Verify webhook signatures.

Handle user data responsibly

  • Read and store only the data your scopes and your feature actually need.
  • Never log tokens, secrets, or personal data.
  • Show users a generic error message; log the detail server-side for yourself.
  • Always serve your app over HTTPS so tokens and data are encrypted in transit.
Security is shared: Fanvue secures the platform and the OAuth flow, you secure your app, your server, and the credentials and tokens you hold.