OAuth 2.0 with AJAX - Safer to share just my own Token, or both the Client & Secret?

Question

I'm using Foursquare's API and since my code works client-side with JavaScript, I'm currently showing my Client & Secret keys to the world. I've seen some other threads about using a proxy server to process requests, which would slow down everything a bit and take a little while to set up. I'll do it if absolutely necessary, but what am I actually risking by making my keys public? No users will ever be prompted to authorize the web app, so it's not like their accounts are at risk...? Thanks in advance!

Answer 1

Showing client and secret key to world means letting the world know about your Bank user id and password. So once this information is with someone say with me (i will not use :)) so i am in full diver position to do anything i like to do on behalf of you.

basically these 2 things work for a handshaking mechanism which tells the service provider that you are the right person who has register with them and now want to interact with them.

Exposing this means exposing yourself.that's said choice is all yours :)

Answer 2

Exposing your oauth tokens makes you responsible for anything someone else does with those credentials. Depending in the service, this could mean, for instance, that if someone were using your key and secret to do something violating foursquare's terms of use your key, and possibly developer account, could be shut down as a result.