Signatu is built using security best practices such as the principle of least privilege. So you can assume that your account and data in Signatu is safe as long as you do your part.
You can generate OAuth tokens either in your Signatu account or using
client application credentials. Make sure you restrict these tokens to the specific scope they are for,
dataprocessing. Note that while these tokens will give the bearer limited access right
for the given scope(s), they do access your account, and should be kept secret.
If you want your website to use the Signatu Consent API directly you need to provide the web browser with a valid OAuth token. This token will be readable by your users, and hence cannot be considered secret anymore. Anyone with this token can POST new consent events and query the API.
If you are using Content Security Policy (CSP) on your site
you need to include
connect-src. If you embed a Signatu Policy button, you also need to include
cdn.signatu.com in your
You can receive consent events to your service. Your service will have OAuth client credentials, and can forward events to the Signatu API. You need a way to authenticate your applications to the Consent Proxy, otherwise there is no additional security for this model.
The Signatu SDK contains an example Express proxy