Application-only OAuth for SPAs


Hello - How do we accomplish Application-only for Single Page Applications? Per the article on this, the id/secret/token are all considered ‘passwords’ that should be secured. In that regard, plugging them into a Single Page Application would expose them through the browser Java Script. Is there a best practice on this? Is it “okay” to put the id/secret into an SPA? How would this be accomplished otherwise?

Thanks in advance.


This is generally handled by having a server you manage that holds the secrets. Your SPA makes requests to your server which then makes the requests to the Twitter API and returns the results to your SPA.


Yeah, figured…was hoping for a way around that, but makes sense. Thanks.