Version: 2.x

Why you should use the authorization code grant

By using the client credentials grant type, integrators can use the API without the need to provide personal information about the data subject. In this case only an external id (= the id of the data subject at controller side) needs to be provided to kazi. The client id and client secret, provided by kazi to get access to the API, should be kept secret and stored at a secured location.

However, kazi advises emphatically to opt for the authorization code grant type which enables a higher security access level. SPAs or other applications which expose the client id and client secret through javascript must access the API via authorization code. Kazi does not allow these kinds of applications to access the API via client credentials grant. In this case, the responsibility of data protection is transferred to the controller.