> I am talking about the "client_secret" string > You can't put that string on a server >
You very much can and you very much should. In the specific example of Facebook, they specifically say that the app secret should never be in any clientside code, including HTML/JS, native iOS, native Android, etc. since all that can be decompiled. You SHOULD route the login/auth requests through your server, where your app secret is stored. Here's the relevant part directly from the Facebook docs: "Therefore the App Secret or an App Access token should never be included in any code that could be accessed by anyone other than a developer of the app. This applies to all methods of code that are not secured like client-side code (such as HTML or Javascript) or native apps (such as iOS, Android or Windows desktop apps) that could be decompiled." https://developers.facebook.com/docs/facebook-login/security/#appsecret
