The JekyllEx API is a proxy API. To understand why it is built, let's first understand how JekyllEx works.

JekyllEx can be used to manage your Jekyll Blog hosted on GitHub Pages. For doing changes to the Jekyll project, it needs to get your permission to make changes on your behalf.

JekyllEx works on GitHub API. During the sign up, when a user authorizes JekyllEx to manage their repos on their behalf, GitHub genreates an access token that can then be used by JekyllEx to perform actions on GitHub on behalf of the user.

JekyllEx uses Auth0 to integrate GitHub authentication. Whenever someone logs in, the user data is stored by auth0.

To extract the access token returned by GitHub authorization, it was mandatory to call the Auth0 Management API to get user data. For calling the Auth0 API, it was required to pass some secret tokens to the auth0 api's oauth endpoing.

Since JekyllEx is a native app, it is hard to store client secrets. No way is completely secure and there could be some logic implemented to extract the tokens from the app and hack JekyllEx's user base.

That's why, I made the proxy API, since environment variables can't be extracted from a backend app, it would be secure.

But then the question was how then the user profile returned by JekyllEx API could be secure, if it contains the GitHub access token, then it can be hacked too?

For that, an article in auth0's docs explain how to use scopes that will allow only users who authenticated from the JekyllEx app It uses JWT for verification.