Is it possible to gain a user access token without exposing the client_id
to the user?
In all of the examples in the API documentation, the client_id
is included in either the URL of the authorization page or in meta tags in the rendered html.
In addition to this I suppose it also raises the question … does it matter if the client_id
is exposed?
Users being able to see your client_id is not an issue, and is perfectly normal. Your client secret, and any OAuth tokens that your app receives, are private though so you do need to keep them secure.
2 Likes
Well that is good news for me as that is what I have currently implemented.
I suppose that makes sense because you can’t really do anything with just the client_id
if you don’t have a user access token or similar.
Thanks.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.