For Client Credentials Grant Type,
1. how are some ways one can transmit Client ID and Client Secret Securely to authorised personnel?
2. Best security practices to ensure that APIs are not misuse/abused in the client credential grant type
1. how are some ways one can transmit Client ID and Client Secret Securely to authorised personnel?
2. Best security practices to ensure that APIs are not misuse/abused in the client credential grant type
YES
That's exactly the purpose.
Thanks but what if my API is only exposed to a partner for their internal consumption -- would it be an overkill to allow partner to access developer portal just for this purpose? As I am both the owner and operator of the platform, control is something one needs.
I don't understand the modification you're making to the original question.
Your original question was: How can I distribute API credentials securely?
And the answer to that is: user a webapp that authenticates users, and allows them to provision their own keys, and require them to login and connect over HTTPS; in short, use the Developer Portal.
Your modification of the question seems to be: What if I don't want that much security?
I don't know how to answer that. If you don't want to secure the distribution of API credentials, send them in email. If you do, use a developer portal.
I want secure distribution of API credentials, for sure. But opening developer portal to others might be challenging. is there a third way?
Nathan, Your question amounts to
"I don't like this answer, please offer a different one."
The answer I have offered is the actual answer. You have asked twice for a different one. I keep giving you the same answer in different ways. Do you see the pattern?