Foursquare API: Userless Access (client_secret key)

Question

Reading on some of the answers on here, people suggest doing userless access by calling Foursquare by: https://api.foursquare.com/v2/venues/search?ll=40.7,-74&client_id=XXXXXXXXXXXXXXXX&client_secret=YYYYYYYYYYYYYYYYY&v=20111109

This means I have to include my client_secret key? Is this safe?

Clarification, I'm working on an iOS app using Foursquare search without the user logging in.

Answer 1

You should probably route the search requests via your server, which can add the client_id/client_secret information before passing it to foursquare. This will also be useful if you ever need to change your id/secret information, want to add caching, etc.

(That being said, it's perfectly common to put your client id / secret into your iOS app, but I would avoid explicitly publishing it anywhere, e.g. in any public source code)

Answer 2

Yes, it means that you need to include the client_id and client_secret.

Define safe :)
For facebook server-side application access, you include the app id and app secret as well (id|secret constructs the access token)

I think that the main idea behind this kind of access is to allow server-side access from the application and if the api access is done via a server script/code/web-service (and not via client-side javascript), this information remains a secret.

I guess it would be true to say that leaving this information somehow in the javascript code is not the best idea (= not safe!).