According to OAuth 2.0 flow in //tyk.io/docs/basic-config-and-security/security/authentication-authorization/oauth-2-0/
For example, Access token flow (e.g. mobile apps, single-page web apps)
Step 5, it requires TYK REST API /tyk/oauth/authorize-client/ to generate the access code/token for the access purpose
According to the Key management API in https://tyk.io/docs/tyk-rest-api/oauth-key-management/
it requires x-tyk-authorization which is the node secret of TYK gateway. I wonder why it does not use the client ID/secret. It means the client app require to keep the tyk node secret and if someone get this node secret, he can call the TYK REST API for authorization the client.
Is there any security issue in this step? Please correct me if I am wrong. Thanks