This document outlines the security mechanisms employed by Moneyhub widgets to ensure secure initialization, data access, and request handling.

Moneyhub widgets utilise OpenID Connect Dynamic Client Registration to create a separate client for each instance of a widget. This client is restricted to a specific set of scopes and can only access data directly associated with it. Following the authentication flow, the client can only redirect back to an address within the specified domain set during widget creation.

When a widget is initialised, it creates a new JSON Web Key (JWK) which is stored locally in the browser. This JWK is associated with the client and is used to sign each request. Since no user credentials are required for registration, the JWK is deleted when the browser session ends, making it impossible to use the client for subsequent requests.

For widgets such as the Affordability widget, which allows users to link their accounts, we provide access to the linked data via a separate client specifically set up for this purpose.