Client ID and Flow ID in SDK integration looks weak on security. Is it secure?

Both of these are not sensitive pieces of information. But by design public identifiers help us know which flow to execute. And helps us create simple integration with the merchant systems. If someone tries to use these two pieces of information and try to impersonate a merchant and execute fake verifications. There are only 2 things at risk

  1. Data of customers going through the flow.
  2. Verification Quota purchased from Metamap

The data of customers is secure even if somebody executes the verification. Data goes back to our systems and from our systems, it is accessible only to the merchant backend via webhooks and via the dashboard for visualisation. Both of these are secured areas.

Our verification flow is website-independent. It's practically the same whether It runs on the merchant's actual site or on the fake site of a hacker. A hacker will attack the merchant's website directly.  If your flow is on a place which is authenticated entry place. Then definitely it's more secure.

A hacker could run the verification anywhere and will try to exhaust the quota. This is a low risk as it's a manual and long process of submitting all the data like documents, clicking photos for liveness check and then waiting for verification results. It's not that easy to script this. Even the attack will be much slower to do any real harm. It's definitely a risk but a low one for us. Because preventing this will make the system much more complicated. A hacker can try to exhaust the verification by calling direct API with this info. But it will not work as API integration token generation is SECRET KEY based. Which resides on the merchant's backend or our dashboard. So it is secured.