I am creating android application with “Log in with Kakao”
which works with APIs on our own server.
To identify whose request on APIs, we have to verify the access token sent by the app to the APIs.
We can know Kakao-ID with access token by ‘/v1/user/access_token_info’,
but there seems no way to know the audience(the application the token issued to) of the access token.
APIs can be fragile because of token replacement / spoofing.
Could anybody please tell me how to resolve the issue?
Thank you in advance!
Thanks for your suggestion. /v1/user/acces_token will also return ‘app id (client id)’ in the very near future. I will reply to this thread once the feature is released.
Thank you so much for your kind reply!
Now, ‘/v1/user/access_token_info’ also returns appId in response and you can check the validity of access token by comparing this with your own app id. Please reply if there is any problem or room for improvement. 
Much appreciate your fix. it was so quick. I confirmed that ‘appId’ is added and returns the fixed value. Only a question is , I am not sure about where on the setting page the ‘appId’ is shown.
But it is ok for now, I just kick the API in advance to know my appId!!
1개의 좋아요
Sorry the UI does not yet reflect the API change. The app id is currently shown in the URL when you visit app settings page. And we will update the app settings UI to show app id in a more natural way in the future. Thanks for your suggestions
