How should app registration be managed for view-source software?


We’re the creators of a PHP-based CMS product that users install on their own sites (like they would with WordPress, for example). We currently have a Twitter add-on that customers can use to display tweets on their website. We’re currently using the unauthenticated public json feeds (as nature intended) but are resigned to needing to switch to an authenticated model.

If I register my software as a Twitter app – as if it were a desktop client – and then distribute it to our customers, they’d all have access to the keys. Our software is PHP, and therefore uncompiled and view-sourceable. That sounds like a bad idea.

So should I be instructing every user to register their own app in order to use our software? That doesn’t sound right either - I wouldn’t want it to appear like we were trying to bypass any limits by acting that way. Is that what I should be doing? Each user of the add-on should register it as their own app?

I guess my question boils down to: is an app the software, or an installation of the software?

Just looking to do this the right way - any help appreciated.



Just to add, we’re in the same boat.
We can’t really expect our clients to register a twitter app so we can use their own keys, can we?


There are a few approaches you can take, but having your customers register their own API keys is likely the safest and a workable scenario for some use cases.

Keeping your keys secret is a best-effort scenario. If the language and distribution situation of your application is such that you can’t reliably obscure the keys, then you need to prepare for a world where that’s a fact as you’ll still be responsible for what’s done with your API keys. Should your API keys become compromised or otherwise misused, you can reset your API keys and re-distribute your application with new keys (or if the situation warrants it, a platform operations representative may do so).

We discourage including keys in public repositories of open source software.

For a definitive answer on this, consider reaching out to platform operations at


A lot of effort just to show latest posts.


Thanks Taylor.


@applecado - agreed. It may be simpler just to screen scrape the public timeline once the json goes away.