Prerequisites

Before integrating, take a minute to understand the security model. Getting this wrong leaks credentials; getting it right takes a single architectural decision up front.

What you need

A Client ID and Client Secret, issued by the VOTR team.
A backend service you control (Node, Python, Go, anything that can hold a secret).
A React or React Native client where the VoteNowButton SDK will run.
Node.js for the SDK install steps (npm or yarn).

Environments

Environment	Base URL
Development	`https://api-dev.govotr.com`
Production	`https://api.govotr.com`

Use the same client credentials only against the environment they were issued for. Development and Production credentials are not interchangeable.

Security model

VOTR uses OAuth 2.0 client-credentials authentication. The credentials grant unrestricted API access — they must stay on your backend.

:::danger Never put client credentials in your frontend Anything bundled into a web or mobile client is readable by anyone who runs the app. A leaked client_secret allows arbitrary calls against the VOTR API on behalf of your organization. Rotate immediately if exposure is suspected. :::

Anti-pattern — credentials in the client

frontend.ts (insecure — do not ship)
const CLIENT_ID = "184hc5luf27g";
const CLIENT_SECRET = "c1kf58bh43dnlq676j";
// Both values are bundled into the app and visible to every user.

Correct pattern — credentials on the server

The client calls your backend, which holds the secrets and proxies to VOTR.

frontend.ts (safe)
async function getVotingUrl(userEmail: string, eventId: string) {
  const response = await fetch("/api/voting/generate-url", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Authorization: `Bearer ${userAuthToken}`, // your app's session token
    },
    body: JSON.stringify({ email: userEmail, eventId }),
  });
  return response.json();
}

backend.ts (safe)
// Reads CLIENT_ID / CLIENT_SECRET from env / secret manager only.
// Calls VOTR, gets a voting URL, returns *only* the URL to the client.

Recommended architecture

Your backend's responsibilities:

Store CLIENT_ID / CLIENT_SECRET in environment variables or a secret manager — never in source control.
Authenticate your own users (your app's session, not VOTR's).
Authorize the user against the requested event.
Exchange credentials for an OAuth token (cache it until ~1 minute before expiry).
Return only the resulting voting URL to the client.

A complete reference implementation is available in the Sample-IN-APP-Voting repository.

Next: Install the SDK.

What you need​

Environments​

Security model​

Anti-pattern — credentials in the client​

Correct pattern — credentials on the server​

Recommended architecture​