Hey @gusgonnet, thanks for your guidance earlier.
As you advised, I have now built the skeleton of a two legged auth flow using firebase and a react web app.
Currently I have a web app that would allow customers to signup and their details are saved into a Firestore db. At the same time as their details are saved to the db, I create a shadow account for the user on the particle product console.
I will probably have a similar setup flow to jgskarda as per this thread Initial device setup for products - 10-20 borons.
My initial idea is for the customer to signup via our web app which will create a shadow customer. Then when the customer logs in to our app, they will manually claim the device by entering the device ID and submitting this to the Particle API. In your opinion should I get my express backend to make this claim or is it ok to claim from the web app? It seems like it’s reasonably standard practice to use the access_token on the front end. If this is the case, then I assume it’s probably ok to call the claiming api via the web app also.
Would it also be overkill to generate a new access_token for customers every time they login to our web app? Should I just try to create a scheduled function to refresh access_tokens for all customers?
Again thank you and everyone else for your advice. I’m amazed that I have been able to mock up a skeleton that I could potentially use commercially in a couple of days. I couldn’t do this without this forum, so thanks all.