OAuth Token and Secret in iOS App

(David Solberg) #1

We’re creating iOS and Android apps that use Dwolla. Is it possible to access the Dwolla platform completely from within either an iOS app? In other words, is it acceptable to store the client id and secret for oauth inside the app, then make all the server calls directly to Dwolla? As long as the local user is properly authenticated, this seems fine to me.

Is there anyone with experience that has done this or knows the answer?

(Spencer Hunter) #2

In general, making API calls to Dwolla directly from the mobile device is not recommend. Instead, all API calls should be made by your backend server(s), which should securely store your API credentials and manage other business logic surrounding payments.

Since Dwolla offers a white-labeled experience, it’s really up to you how the payment experience is presented to the user, and how that is technically achieved between your backend and your mobile client.

(David Solberg) #3

So in summary, you’re saying that you’d prefer the API calls are made by servers, so it’s up to us in a white label solution?

I’m curious which API calls use the application access oauth token? It seems that those are the ones that would be most impacted by having the API credentials in-app. If all user information operations required user sign-in, that would seem to address most issues.

(Spencer Hunter) #4

Correct. When someone wants to login via your mobile application, your application will simply forward the request to the server that will then send the authenticated request to Dwolla. Your server can then tell your client if it was successful or not.

An application access token is only used to access protected resources that belong to the app itself which includes: webhooks, webhook-subscriptions, and events.