Public native app client - what to keep secret?

Hi all,

When using a public client that has no client secret and uses Appauth.io, what should not be kept in source control? Especially if you want to release the app under an open source license in a public git repository?

Thanks,
Gavin.

Can’t really answer that because I’ve never used AppAuth but my best guess would be to check their website/docs for guidance. Generally, you don’t want the Client Secret in code that runs on untrusted devices.

1 Like

Thanks. It’s a public client that has no secret.

I think most of my questions will be covered in https://tools.ietf.org/html/rfc8252