It looks like you're new here. If you want to get involved, click one of these buttons!
WarningNever expose your api_secret by embedding it in a mobile app or a client side application. Do not expose the access_token you obtain for a session to the public either.
If it is a client application made for mass then don't hard code api_secret. Do your auth stuff on the backend application.
Another option is storing access token in a cookie which is also vulnerable. Can't make the right decision