Should the Auth token and/or client ID be secret?

Hello, I am developing an application for someone in java. I have the auth token and the client ID in my code. Is this fine? Since they can just decompile it.

ClientID’s are considered public

Client Secrets are secret

An auth token is also considered secret depending on a few things (if it’s the users own token then it’s safe to show the user their own user token), but since an auth token can expire, it shouldn’t be in your code anyway.

As when the token dies/expires the app can’t be fixed as you hard coded the auth token. (without an app update)

Thanks for the fast reply! :slight_smile:
Do you know what I can do to fix this?
Since if I create an “autoupdator” for the token to create a new token when it expires, my client secret wouldn’t be very secret anymore.
And also, if I create a file with the token or client secret, that also breaks the point of it being secret.

If the application is to be installed to the users computer, then you would use impicit auth, which can generate a token thats valid for around 60 days

That only uses a client_id to generate a token.

1 Like

Thanks!
So I can hardcode the client id, correct? (To regenerate the token after the 60 days)

Sure a client id is considered public, since it’s used in the URL that you redirect users to Twitch to auth with

Alright
:slight_smile:

So I’ve tried to do this: (Note: I’m trying to get the token with a GET request)
https://id.twitch.tv/oauth2/authorize?client_id=ClientIdHere&redirect_uri=localhost&response_type=token&scope=
But it doesn’t seem to work, it returns some weird value and if I put it in the browser it takes me to this: https://prnt.sc/102t4e5
Am I doing something wrong?

Your redirect URL is incomplete it should be the URL Encoding of “http://localhost/

After hitting “continue” you’ll be sent to the Default Redirect URI, which will contain an error_description query strin parameter, that will describe the error.

oops!
So I would have to bring users to that webpage instead of using a GET request?
Or is there another way?

Oh yeah, you have to LITERALLY send people to Twitch (via get) for Step 1 of oAuth.

This is an implicit auth example that illistrates the flow

Step 1 for you would be the same (link to Twitch)

1 Like

Thanks!