Fetching a Token requires your App Key and App Secret. If you request it from the client, your code could be decompiled, exposing your App Key and App Secret.
- Always get the Token from the server in production. Your client app should call the IM Server API through your app’s server to request the Token. For details, see the Server API docs User Registration.
Reference: How does the Token refresh mechanism work?