Is the "access token" and "access token secret" enough to make REST API requests from client side JavaScript?

token
javascript

#1

I’ve implemented this on the backend to obtain a access token and secret: https://dev.twitter.com/web/sign-in/implementing

Can I use these tokens to make REST API requests from client side JavaScript?

Lots of code examples are showing the “consumer key” and “consumer secret” as being required, which obviously shouldn’t be visible on the client side.


#2

We do not encourage the use of consumer keys and access tokens from client-side Javascript as this is insecure.


#3

Thanks Andy. What about keeping the consumer key and secret server-side, but exposing the access token and access secret client-side?


#4

That is still not ideal, but as long as the consumer key and secret are very secure and not exposed, then yes in theory that’s “ok” because the access tokens are specific to the client ID / consumer key pair.