I am having a security concern regarding to the authentication workflows provided by Nylas. If I decide to use the OAuth and the API key method, then the developers will have access to users data (emails, calendars and etc…) using the API key and the grantId that they can see from the dashboard.
If I decided to go with the OAuth and access tokens, it should be more secure, but the concern is, that the developers can still access data using the first method.
I believe we should only be allowed to use one authentication method to address this issue.
Did I understand it right or is there something else I am missing?
Thanks,