Hi, I've one public client 'react' which uses the implicit grant for authentication. Now I want to secure this app back-end APIs, thus need to apply the authorization (policy, resource) settings. Is there any way to use the *Authorization* settings for the public client? As per my understanding, Authorization (policy, resource, scope) settings does not apply for *Public (Client Protocol)* client, It only for *Credential (Client Protocol) *client. Now the problem here is that when a user tries to log in using *credential-keycloak-client, *In that case, we need to use the *client_secret key* in front-end which would make the application more vulnerable. Let me know If my understanding is incorrect and feel free to share another approach to resolve this issue. Thanks, Shubham Akodiya _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user