API client secrets

[calebmer]

Currently anyone can use the API when un-authenticated. We should have API client secrets to make sure only approved clients can use our API.

• On web, we should store our client secret in the API proxy. That way it can’t be seen in client side code.
• I’m not entirely sure where to put it for native code.

[calebmer]

Even with client side secrets, what’s to stop someone from using the web API proxy? Maybe having this level of protection won’t do anything.

[calebmer]

We should research how Firebase apps securely protect their client secrets before preceding with this.