the leak of a consumer secret will not result in the compromising of user accounts (the consumer secret is needed to get user secrets, but to get user secrets require the user's intervention).
however - do not put the consumer key and secret in the source of your code and distribute it. instead, make it possible for your source to read the consumer key and secret from a configuration, and distribute, with your source code, a sample configuration file or a README that details how to create one. hope that helps. On Fri, Jan 29, 2010 at 7:57 AM, ShellEx Well <[email protected]> wrote: > if a twitter App's Consumer key and secret were leak out, is it > possible to gain a user's access token without a user authentication > process ? > > I am writing a opensource desktop client and has implemented OAuth for > it. However, I don't know is it suitable to put my key and secret in > the source? Are there any risks if i do that? > > Thx :) > -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
