Home/ Questions/Q 607543
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T17:22:15+00:00

I’m writing a little web utility that posts status updates to Twitter and/or Facebook.

  • 0

I’m writing a little web utility that posts status updates to Twitter and/or Facebook. That involved creating ‘applications’ with both those services in order to get API keys and ‘secrets’.

My question is how protected I really need to keep those secrets — in order for this to work at all, you seem to need the secret to interact with the authentication part of the service to grant the app access to your account and/or grant it permission to post updates on your behalf. Facebook’s documentation says to protect the secret, but at least one other Facebook utility distributes the API key and secret in the source.

It’s important to note: this isn’t your standard Facebook ‘application’ that runs within the context of Facebook, nor is it a standard “desktop”-style compiled app — it’s a web-based application intended to be run on your own web server. The audience for this is probably small and somewhat more sophisticated than average — so, one technical alternative would be to require people to obtain their own API key and secret to use the app. That seems like a lot of work, however, and a fairly large barrier to entry to anybody using this.

Anybody know or have any insight on what sort of trouble I’m letting myself in for if I put both the secrets and the API keys in the config for my app and check it into Github for all the world to see?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Anyone who has access to your secret key has complete control over your application. This page shows all the admin settings they can change with the admin.setAppProperties API call. This could include putting the application into developer mode (so nobody else could use it), changing the callback URL (which would break it) or all kinds of other mischief.

    I’m not sure I entirely understand what you’re trying to do, but I think if you look at the documentation for session secrets then you may find a solution that doesn’t involve embedding the app’s secret key but still lets the user interact with the API. Session secrets are used by Facebook Connect and allow API calls to be made without an application secret. The API calls that can be made with a session secret tend to be restricted to the user interacting with their own data only. Updating status and granting permissions is definitely something you can do with a combination of session secrets, Connect and XFBML.

    And as Paul has already answered: sharing your application secret is against Facebook’s terms of service.

    • 0