Secure client secret

Hey folks!

I’m writing a mobile application for a streamer and was wondering if anyone has had experience using oAuth2 on mobile.

In order to keep the client secret private, I was going to set up a web service to act as a proxy between the app and the Twitch.

Is this ideal/optimal? Does anyone have another way (besides packaging the secret in the APK)?

Hi @Metallian

You might want to take a look at https://github.com/justintv/Twitch-API/blob/master/authentication.md#implicit-grant-flow. This is also recommended for apps that make not use of a server:

If you are making an app that doesn’t use a server, such as a client-side JavaScript app or a mobile app, you’ll use the Implicit Grant Flow.

This method does not require a client secret (only the client id). I do not know what your app should do, but based on reading your post I think this might suit you.

Thanks @Cookie! That’ll work just fine!

Best regards!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.