Hi all, just noted this particular snippet in the documentation, particularly

please note that the token will bleed in the front-end

prismic: {
  // example querying a private Prismic repository
  // please note that the token will bleed in the front-end
  apiOptions: {
    accessToken: 'yourAccessToken'
  }
}

Am wondering what does this line means, and am curious if the private API token is exposed, and what is the best way to implement such a configuration in Nuxt, such that the private API token is protected?

Hey @gabrielsze, nice question!

Since Prismic has to be able to run on the frontend (for SPA fallback, previewing content, etc.) the token you pass as an option here will eventually bleed in the frontend.

If you're using a token to protect unreleased content, you can effectively use this option by providing it an access token that only has access to the master ref. People won't be able to peek at unreleased content this way.

However, if you want to completely protect your content, while hiding the token, I'm afraid it's not possible now to do so with this module, and Nuxt overall. Once Nuxt Nitro will be released we might be able to use it to proxy calls to Prismic through a serverless function.
In the meantime the option available to you is to write an API that acts as a proxy and handles calls to Prismic, injecting your token there. Just want to give you a heads up regarding that as there might be no need to do so with your content since it will most likely be public at the end of the day?

Let us know if anything, cheers!

Thanks for answering! Appreciate the quick response.

If you're using a token to protect unreleased content, you can effectively use this option by providing it an access token that only has access to the master ref. People won't be able to peek at unreleased content this way.

May I clarify how this works - so the token which has access to master can only view published content, but the token with master and releases can view all content (?)

Just want to give you a heads up regarding that as there might be no need to do so with your content since it will most likely be public at the end of the day?

Was wondering more about api-calls throttling if someone decides to spam the API (ddos perhaps?), not sure if this would be a consideration, but for example also noticed how you could limit the use of google apis to only certain domains. Thought that may be helpful, but appreciate the answer on it so far 🥇

You're welcome!

May I clarify how this works - so the token which has access to master can only view published content, but the token with master and releases can view all content (?)

Exactly, sorry for abusing Prismic's jargon but a token that only has access to master is basically a token that only has access to published content, a token that has access to master and releases can view published content and releases content, these ones might not be yet published.

Was wondering more about api-calls throttling if someone decides to spam the API (ddos perhaps?), not sure if this would be a consideration, but for example also noticed how you could limit the use of google apis to only certain domains. Thought that may be helpful, but appreciate the answer on it so far 🥇

Indeed, your concern makes total sense here. On that purpose we do implement rate-limiting strategies on our API which should prevent malicious usage of it for most cases. Also, as far as I know, we never experienced any case of DDOS attack that happened targeting a specific user on our end 🙂

Understood, thanks so much for clarifying and also for the quick response on this. Helps to understand the situation better :)

You're welcome, closing this now~

Feel free to reopen if any question, also we have a community forum where you can get support for that kind of question 🙂