What are the potential problems with exposing the Facebook API secret?

Question

I'm writing a little web utility that posts status updates to Twitter and/or Facebook. That involved creating 'applications' with both those services in order to get API keys and 'secrets'.

My question is how protected I really need to keep those secrets -- in order for this to work at all, you seem to need the secret to interact with the authentication part of the service to grant the app access to your account and/or grant it permission to post updates on your behalf. Facebook's documentation says to protect the secret, but at least one other Facebook utility distributes the API key and secret in the source.

It's important to note: this isn't your standard Facebook 'application' that runs within the context of Facebook, nor is it a standard "desktop"-style compiled app -- it's a web-based application intended to be run on your own web server. The audience for this is probably small and somewhat more sophisticated than average -- so, one technical alternative would be to require people to obtain their own API key and secret to use the app. That seems like a lot of work, however, and a fairly large barrier to entry to anybody using this.

Anybody know or have any insight on what sort of trouble I'm letting myself in for if I put both the secrets and the API keys in the config for my app and check it into Github for all the world to see?

Answer 1

Anyone who has access to your secret key has complete control over your application. This page shows all the admin settings they can change with the admin.setAppProperties API call. This could include putting the application into developer mode (so nobody else could use it), changing the callback URL (which would break it) or all kinds of other mischief.

I'm not sure I entirely understand what you're trying to do, but I think if you look at the documentation for session secrets then you may find a solution that doesn't involve embedding the app's secret key but still lets the user interact with the API. Session secrets are used by Facebook Connect and allow API calls to be made without an application secret. The API calls that can be made with a session secret tend to be restricted to the user interacting with their own data only. Updating status and granting permissions is definitely something you can do with a combination of session secrets, Connect and XFBML.

And as Paul has already answered: sharing your application secret is against Facebook's terms of service.

Answer 2

You'd be in violation of your agreement which licenses you to use the facebook API. Part of that agreement is that you keep your key secret. If you don't, they will disable your access until you agree to abide by the rules.

Policy III.7 is very clear:

You must not give your secret key to another party, unless that party is an agent acting on your behalf as an operator of your application, but you must never give your secret key to an ad network. You are responsible for all activities that occur under your account identifiers.

http://developers.facebook.com/policy/

Make your users each get an API key, or rethink your architecture. You don't want facebook to terminate your access, and signing up for an API key is honestly not THAT much work.