Restrict some feature inside my front-end

I want to allow creating groups and listing users only in my backend.

A hacker could dump my entire user base (firstname/lastname) with this request:

It’s possible?

Thank’s you

Hello @magic and welcome to the Sendbird community,

Access to the platform API to list the users in your application would require a threat actor to have obtained your API token for your application and is the reason Sendbird strongly advises against using the Chat API in your client side applications.

You should use the corresponding client SDK, in this case the Javascript SDK, in your client application.

When utilizing the master API token of your application, you can generate a secondary API token via your Dashboard or through the Platform API. This would allow you to revoke any secondary API keys in the event they are exposed. Please see the following documentation on how to generate and utilize secondary API tokens:

In my front-end, I use react-ui kit.
Front-end : platform-api/js

I realise my operation inside my backend (room creation, add user to a room, access token retrieve when I create an user).

When I have the view on groupChannelList components, I have this problem :

My secondary API token is only present in my backend. I’m not using a core API token.

In my use case, anyone could create an account on my solution. So I want to avoid those possibilities.

It’s possible? Do you have sample source code for this type of case or a solution?

Thank’s for your help

Hello @magic,

It is not possible to hide the response body of the API call made by the SDK to list available users. If we masked this data, the data in your application would also be masked.

There is a security setting for your application to prevent users from logging into your application without a valid session or access token by setting access token permission to Deny Login under Settings → Security → Access Token Permission. This prevents users from logging into another user ID without the valid access or session token.