Skip to main content

Client-side applications

The access token you get from your account page allow you to makes queries on the Trefle API, but your token needs to be kept secret, so you can't make queries from the browser as the user on your website will see the access token, and could use it for their personal needs. Additionally this is not a good practice in developing software.

client workflow

If you need to perform client-side requests you will have to request a client-side token from your own backend and get a JWT token in return. This token will be usable on the client side. This call needs your secret access token and the url of the website that the client side requests will come from.


Because this is a POST request it can't be done directly from the browser.

In your terminal:

curl -X POST '"'

And we get:

"token": "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxMDYsIm9yaWdpbiI6IllPVVItV0VCU0lURS1VUkwiLCJpcCI6IlRIRS1XRUJTSVRFLVVTRVItSVAiLCJleHAiOjE1OTQ2NDIxNDh9.Vd2d3UK7zdNWZLBOn8y50NcUKuF8xFZgh6p7EB4fhVw",
"expiration": "07-13-2020 14:09"

You can then use this token directly from the browser. It can't be used from another origin, will expire and only works for your website.

About the user IP

Putting the user remote IP in the claim API call is optional, but it provides an additional security layer. We don't keep or store this information.