# Security model The Finqware API is protected by a number of keys and tokens. It is important to follow the best practice around where it's safe to store/use them. You can make an API call from a web application using the `client_id`, but use an `access_token` only from your server-side code. Currently, a generally accepted opinion among security experts is that you cannot safely store secrets in a client application (web or mobile code). Besides the API keys listed here, the **/v1s** is an extra secured endpoint (recommended for production) that requires message digest & signing - please check the details [here](/dev-guide/signing-api-requests.md). | Token/key | Client | Description | | ---------------- | ------ | ---------------------------------------------------------------------------- | | client\_id | yes | An identifier for a tenant app | | client\_secret | no | A secret generated for each tenant app | | client\_app\_key | yes | Used to initate a user session | | temp\_token | yes | A temporary token that can be exchanged for an access\_token | | credentials\_id | no | A consent record that points to user data (eg: a bank account, an insurance) | | access\_token | no | A permanent token authorizing access to user data | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.finqware.com/overview/security-model.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.