yes, it could be a problem - however, there are known solutions to obfuscating and keeping your consumer key secret. not perfect, but pretty good. maybe we can start a discussion around this? people are going to need to start to move towards this method, and we are here to help you if you need it.
ps. DO NOT COUNT ON THIS, but.... @anywhere is powered using a draft oauth 2.0 spec. we are not yet opening up those endpoints for public use because we reserve the right to switch them around to follow the spec a bit more closely. we will be opening this up for others to use, but we do not yet have a timeframe for it. we have to first fully deploy our oauth 1.0a rewrite. On Wed, Apr 14, 2010 at 3:22 PM, Josh Roesslein <jroessl...@gmail.com>wrote: > I am all for oAuth replacing basic, but one of the remaining issues is > consumer keys. With 1.0 signing is required thus requiring > distributing keys with your application. We all know this is pretty unsafe > since any hacker could yank them out. > oAuth 2.0 does seem to solve a lot of the issues involving desktop > applications, but is still being drafted. So maybe holding off > basic auth depreciation until then might not be ideal, but I think it would > help make porting to oAuth a bit easier. > Just curious how soon can we expect 2.0 to be rolling out and if Twitter > has considered at all extending basic auth's lifetime. > > Thanks, > > Josh > -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
