This page makes a point of stating that using the Application Secret in an app where users could potentially see the source code is bad:
“If you have a public client that is unable to use registered client secrets or an application running in a browser or on a mobile device, you must use the OAuth PKCE flow. You should also choose the OAuth PKCE flow if you have a native desktop application, a single-page web application, or a mobile application.”
But the revoke token endpoint seems to explicitly require the application secret:
How should I call the Revoke Token endpoint if I’m trying to avoid including my Square application’s Application/Client Secret in an app that I give to users?
3 posts - 2 participants