Learn about security best practices while developing on Smartcar.
At Smartcar, our priority is to ensure the security of your data as well as your app users' data. This guide goes through some of the best practices you can follow to keep your application and user data as secure as possible.
Client Credentials - Your client credentials consist of your client ID and client secret. Think of these as your username and password to Smartcar.
Authorization Code - An authorization
code represents a user's consent to grant your application access to their vehicle.
Access Token - An
access_token represents your application's access to a vehicle on behalf of the vehicle owner.
Refresh Token - A
refresh_token gives you the ability to renew your
Your application should load your client secret via an environment variable.
You don't need to store your authorization
code. Instead, exchange it for an
access_token in your back end, immediately after receiving it. The
authorization_code expires 10 minutes after being issued.
access_token in a persistent store in your back end (e.g. SQL DB or session store). If you expose your
access_token in your front end, your application's security will be at risk, potentially giving bad actors access to your users' data.
We recommend that you keep your
refresh_token and its expiration in the same store along with your