Is it safe to share Facebook API id and secret key?

Question

I am working on an open source web-based application that communicates with Facebook. One of the files contains the Facebook API id and secret key. Is it fine to share this information with the rest of the world?

Answer 1

It is not safe to share the secret key, you shouldn't share this with anyone. When you open source the code put in some dummy values instead, or nothing at all.

Answer 2

It is extremely important that you never share your app secret. Your app ID is completely unimportant and available to anyone who goes to your Facebook apps profile page, but the app secret is a completely different story. It could compromise any data stored within your application and allow third parties to call specific APIs on your behalf without your knowledge. This is bad for you and for your users.

If you have accidentally shared your app secret (this can happen when it's embedded in client binaries or code) then you can reset it really quickly through the Facebook developer app: https://developers.facebook.com/apps goto Settings -> Edit and then click reset beside the app secret. This will have the effect of invalidating any access tokens that have been previously been granted by your app.

Answer 3

No it isn't. Why do you think they named it "Secret" ?

It's the truth that there is probably no way to abuse it (because Facebook always checks origin URL, too) however you should not share it...

Answer 4

The secret key, is, well secret. You shouldn't share it with anyone.