OAuth key and secret

[Detlev Mattéo Casanova]

Hello !

I'm working on an MV app for SailfishOS (Qt/Linux based). It can connect with XAuth now and it works pretty well.

The thing is that it is an open source app. Can I set the OAuth API credentials in the freely downloadable code ? Or is it supposed to be kept secret ?

Thanks in advance,

Detlev Casanova

[Koen Vossen]

Indeed, that seems to be an issue without a decent solution at the
moment. Closed-source apps often contain an obfuscated version of the
key and secret, but even those can be obtained easily by someone who
knows what he's doing.

You could try proxying the calls via your own server, but that's
pretty nasty too. By the way, it's also possible to use simple HTTP
auth with our api, maybe that approach is more suited for your
purposes.

Kind regards,

Koen Vossen
Developer at Mobile Vikings | http://mobilevikings.com

> --
> You received this message because you are subscribed to the Google Groups
> "Mobile Vikings API users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to mobile-vikings-api...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Koen Vossen]

On Tue, May 27, 2014 at 7:57 PM, Detlev Mattéo Casanova

> The thing is that it is an open source app. Can I set the OAuth API
> credentials in the freely downloadable code ? Or is it supposed to be kept
> secret ?

Since I forgot to answer your main question: yes, they're supposed to be kept secret. Otherwise, people will be able to impersonate your application.

Koen