I don't want to specify frontend url in the backend. Backend should be completely unaware who is using its auth apis. Frontend should call the backend apis directly. To make sure only trusted front-end apps can request for login I want to provide some sort of secret access token by registering the app. They can use the token to make call from frontend. The backend will validate if the app is registered or not. If not reject the request. Is it possible?