- The API Key
- JS Security Key
- TA Token
e.g. as mentioned in the documentation:
There seems to be no other secret/otherwise key backed anywhere that is not publicly accessible. My client was just concerned about the security implications of this, and if it is indeed safe to do. Since there is no other configuration, it would seem anyone could take these values and generate tokens for our account elsewhere.
I figure this is the correct approach, but just wanted to make sure on behalf of questions from my client. Thank you!