I am working on a desktop app (i.e. it has no online component), which means I’d be locally storing the client-id and the bearer token for any users the app is authorised to act on behalf of (after obtaining the latter using implicit code flow).
My concern with this is that someone with ill intentions could take these two codes and use them to spam or otherwise misuse the API. This would look like it’s my app doing it, even though it’s not. I have two questions regarding this potential issue:
Is the rate limit bound to bearer tokens when provided (or something similar), or is it global? If it’s global, it would mean that misuse could result in a DOS attack on my app.
In case someone does abuse the API in this manner, will I, as the app author, be held responsible (i.e. responsibility based on client-id) or will the user making the abusive requests be held responsible (i.e. responsibility based on bearer token). I do not want my app to be banned because of one bad actor getting hold of a bearer token.
It’s also possible that someone could use a client-id to make requests without the use of a bearer token, and I was also wondering how exposing the client-id might potentially open that up as an attack vector for bad actors.