How to handle client_id and client_secret for Password Grant Tokens in Passport

Question

I am trying to figure out how to handle the Password Grant Tokens in Passport package. Should i store the client_id and client_secret in .env file or fetch the values direct

Answer 1

While you certainly can store the values inside your .env file, you should think these tokens as secrets you grant to other developers who want to use your API. What if everyday 50 developers want to register to use your API, will you add them by hand to your .env file? If it's only you / your company this kan be "ok", but I would store them in the database for scalability.