Secret api Key Facebook and Twitter

Question

What danger is there if these keys were intercepted or written in clear?

facebook_app_id: XXX
facebook_app_secret: XXX
twitter_app_id: XXX
twitter_app_secret: XXX
twitter_access_token: XXX
twitter_token_secret: XXX

Answer 1

• The Application ID (sometimes called API Key) is not confidential. It just identifies your application. You can often find app IDs in the source code of websites that access an API with JavaScript.

• App Secrets must be kept secret. There often are additional security measures in case the key is compromised (for example whitelisting domains that will have access) but in general you can say: If some has the secret key, he can do everything your application could do.

• Access Token (or Access Token + Token Secret) are temporary credentials of a client. Your application uses the token to authenticate users. If an attacker gets an access token, he could pose as the client as long as the token is valid.

Twitter uses OAuth1, while Facebook uses OAuth2 which is the reason for Twitter's additional token secret. The token secret in OAuth1 is more secure in case the access token can be easily compromised (like over unsecure connection) but it takes additional steps to obtain a token secret. For OAuth2 you should use a secure connections. For better understanding of the terms used by Twitter you should look at the specification, especially the definition of different tokens.