1. Store Secrets on the Backend Only

• Use the Client Secret only in server-side applications.
• Never expose secrets in frontend code (JavaScript, HTML, React, etc.).
• Never embed secrets in mobile applications.
• Never commit secrets to public repositories.

Frontend applications should communicate with your backend server, and your backend should securely call Kawach APIs using the secret.

2. Use Environment Variables

Store secrets in environment variables instead of hardcoding them directly into your application code.

Avoid this:

const secret = "sk_live_abc123";

Use this:

const secret = process.env.KAWACH_CLIENT_SECRET;

This prevents accidental exposure of secrets in source code.

3. Restrict Access

• Limit access to production secrets.
• Ensure only authorized team members can view or rotate credentials.
• Do not share secrets through email or chat tools.

4. Rotate Compromised Secrets Immediately

If you suspect a secret has been exposed:

1. Revoke the credential in the Kawach dashboard.
2. Generate a new credential.
3. Update your backend configuration.

5. Use Secure Storage Systems (Recommended)

For production systems, use secure secret management tools such as:

• Cloud secret managers (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault)
• Encrypted configuration stores
• Infrastructure-level environment management

6. Never Log Secrets

Ensure your application logs do not contain:

• Client Secret values
• Full authentication headers

Logging secrets increases the risk of unintended exposure.