Restrict some feature inside my front-end

I want to allow creating groups and listing users only in my backend.

A hacker could dump my entire user base (firstname/lastname) with this request:
https://api-xxx.sendbird.com/v3/users?token=&limit=20

It’s possible?

Thank’s you

Hello @magic and welcome to the Sendbird community,

Access to the platform API to list the users in your application would require a threat actor to have obtained your API token for your application and is the reason Sendbird strongly advises against using the Chat API in your client side applications.

You should use the corresponding client SDK, in this case the Javascript SDK, in your client application.

When utilizing the master API token of your application, you can generate a secondary API token via your Dashboard or through the Platform API. This would allow you to revoke any secondary API keys in the event they are exposed. Please see the following documentation on how to generate and utilize secondary API tokens: https://sendbird.com/docs/chat/v3/platform-api/prepare-to-use-api#2-authentication

In my front-end, I use react-ui kit.
Front-end : platform-api/js

I realise my operation inside my backend (room creation, add user to a room, access token retrieve when I create an user).

When I have the view on groupChannelList components, I have this problem :

My secondary API token is only present in my backend. I’m not using a core API token.

In my use case, anyone could create an account on my solution. So I want to avoid those possibilities.

It’s possible? Do you have sample source code for this type of case or a solution?

Thank’s for your help