# OAuth for SPA, BFF, and Frontend Secret Anti-Patterns > **Intro:** Frontend identity choices should be evaluated by how much authority they expose to the browser, how replayable the tokens are, and how cleanly they support logout, session rotation, and downstream authorization. > > **What this page includes** > > * when SPA-only flows are acceptable > * why the BFF pattern often simplifies risk > * common mistakes with tokens and browser storage > * how to review frontend auth designs ## SPA versus BFF A pure SPA can be workable, but a Backend-for-Frontend often makes the security model easier because it moves token handling and upstream calls out of the browser and back into a server-controlled trust boundary. ## Anti-patterns * frontend bundles containing secrets or long-lived API credentials; * access tokens stored broadly in browser storage without a good reason; * confusing authentication with authorization and pushing too much trust into frontend checks; * incomplete logout that leaves long-lived session artifacts behind. ## Review questions * Which tokens exist in the browser, and why? * Can the browser directly call privileged upstream APIs, or only the BFF? * How are session renewal, device loss, and risk events handled? * Does the frontend reveal roles, entitlements, or feature flags that should remain server-authoritative? ## Recommended bias Prefer server-held sessions or BFF-mediated access for high-value products, especially when the product handles tenant data, admin workflows, or regulated information. ## Related pages * [Session Security, Browser State, and AuthZ Review Patterns](https://github.com/D3One/Product-Security-Gitbook/blob/main/18-frontend-and-browser-security/session-security-authn-authz-and-browser-state-review.md) * [API Authentication and Authorization](/architecture-api-crypto-and-identity/index/api-authentication-and-authorization.md) *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/application-security-and-secure-sdlc/index-2/oauth-for-spa-bff-and-frontend-secret-antipatterns.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.