Single-page applications cannot safely store a client secret in the browser. Use the authorization code flow with PKCE, or use the official @intastellar/signin-sdk-react package if you target React and your client is set up for it — the SDK uses a popup and verification instead of you wiring authorize + token POST by hand.
For concrete React and vanilla patterns (placeholders only), see Intastellar Sign-In — React and JavaScript.
Flow summary (custom code + PKCE)
- Generate
code_verifier(high-entropy random string) and derivecode_challenge(S256). - Store
code_verifierwhere you can read it on callback — e.g.sessionStoragefor the tab, or an encrypted cookie via a small BFF. - Redirect to
AUTHORIZATION_ENDPOINTwithcode_challenge/code_challenge_method=S256. - On callback, send
code+code_verifierto your backend (recommended) or to the token endpoint if your product allows public clients without a secret (confirm in your console).
Prefer a backend-for-frontend (BFF)
Even in a SPA, token exchange and refresh are safer on a same-origin API:
- Browser receives only an opaque session cookie from your API.
- Refresh tokens never touch
localStorage. - CORS and CSRF are easier to control on your domain.
If you must handle tokens entirely in the browser, minimize lifetime, avoid localStorage for refresh tokens, and treat XSS as a full session compromise.
CORS and iframes
Do not embed the Intastellar login UI in a hidden iframe unless the product explicitly supports silent or embedded flows. Prefer full-page redirect for sign-in and sign-out.
Frequently asked questions
Is the React popup the same as PKCE redirect?
No. The SDK popup path is a different integration style. This page is about redirect + PKCE when you build the flow yourself.
“CORS error” calling the token endpoint from JavaScript
Often expected — many token endpoints are not meant to be called directly from the browser. Use your backend or a BFF.
Next
Server-side (confidential) clients if you also run a traditional backend with a secret.
Last updated