We require a backend for several reasons:

  1. Since the data from payroll providers is sensitive, making API requests from the backend and storing that data on the backend reduces the likelihood of this data being exposed to malicious persons.
  2. Exchanging the authorization code for an access_token should always take place in your backend to ensure your client_secret and access_token are never publicly exposed.
  3. Likewise, your backend should always store the access token in a secure database and should never return the access token to the frontend application.