If it’s client side javascript based (i.e angular style) 100% of your security must be server side. The client app can be manipulated to do anything anyone wants with time and effort. Tokens become your friend because they can only be generated by the server, they can be passed easily, and they can’t be changed without invalidating them.
For our app I pass the service user bearer token to the my app, generate a token with customer keys, to pass to the app, and pass the customer keys to the app. I compare the keys in my token and the keys passed through out all my transactions. Anytime I talk to Epicor I use the bearer token and pass the token and the keys stored within the token to Epicor as params. I then in pre-process for any of my calls compare the keys passed to the keys stored, as well as look at expiration time, and validation of the token (has it been tampered with) only then will Epicor actually run my BAQs.
Post Insights I think I could post my slides here for my presentation on this, but I’m not sure let me ask on that. Might not be able to public those, but I’ll ask.