API Callout from LWC vs Apex

This is more of a design confusion. LWC documentation recommends making external API callout from LWC (client-side) before Apex. However, I have below doubts –

Is it safe to make 3rd-party API callout from the frontend, when accessToken is involved?

Also, we may need to hardcode URLS in the code. Are there best practices for the same?

In case the integration requires sending certificates (for 2 way), is it recommended?

Also, what IPs needs to be whitelisted at endpoint end, for client-side calls?

Server-side calls introduce an extra middleman, but apart from performance, is there any other advantage of make callout from client-side?

Answer

Is it safe to make 3rd-party API callout from the frontend, when
accessToken is involved?

Yes, it is safe as it allows HTTPS or WSS requests only (SSL). Also, you have to whitelist trusted sites for the callout.

Also, we may need to hardcode URLs in the code. Are there best
practices for the same?

It is fine as long as you don’t need to change them frequently.

In case the integration requires sending certificates (for 2 way), is
it recommended?

I would not recommend implementing two-way APIs/any scenario where security is critical in LWC directly as storing secret data like passwords, auth key in Javascript/browser cache is not safe. Use Apex.

Make callout from LWC whenever you are calling some third party API which is free or does not need authentication.

Also, what IPs need to be whitelisted at endpoint end, for
client-side calls?

You need to whitelist sites(not IPs) in CSP Trusted Sites. Refer to Set up.

Attribution
Source : Link , Question Author : Deep Singhal , Answer Author : Rahul Gawale

Leave a Comment