Some project (like dabr) put key and secret in config files.
But I think it really suck for users who want to use my client with
OAuth. Because they have to get a pair of key/secret and do configure
themselves, and the this is not convenience for users.

So I doubt that is it a good way to use OAuth in Desktop Client.

On Jan 30, 1:35 am, Raffi Krikorian <> wrote:
> the leak of a consumer secret will not result in the compromising of user
> accounts (the consumer secret is needed to get user secrets, but to get user
> secrets require the user's intervention).
> however - do not put the consumer key and secret in the source of your code
> and distribute it.  instead, make it possible for your source to read the
> consumer key and secret from a configuration, and distribute, with your
> source code, a sample configuration file or a README that details how to
> create one.
> hope that helps.
> On Fri, Jan 29, 2010 at 7:57 AM, ShellEx Well <> wrote:
> > if a twitter App's Consumer key and secret were leak out, is it
> > possible to gain a user's access token without a  user authentication
> > process ?
> > I am writing a opensource desktop client and has implemented OAuth for
> > it. However, I don't know is it suitable to put my key and secret in
> > the source? Are there any risks if i do that?
> > Thx :)
> --
> Raffi Krikorian
> Twitter Platform Team

Reply via email to