Reading on some of the answers on here, people suggest doing userless access by calling Foursquare by: https://api.foursquare.com/v2/venues/search?ll=40.7,-74&client_id=XXXXXXXXXXXXXXXX&client_secret=YYYYYYYYYYYYYYYYY&v=20111109
This means I have to include my client_secret key? Is this safe?
Clarification, I'm working on an iOS app using Foursquare search without the user logging in.
You should probably route the search requests via your server, which can add the client_id/client_secret information before passing it to foursquare. This will also be useful if you ever need to change your id/secret information, want to add caching, etc.
(That being said, it's perfectly common to put your client id / secret into your iOS app, but I would avoid explicitly publishing it anywhere, e.g. in any public source code)
Yes, it means that you need to include the client_id and client_secret.
Define safe :)
For facebook server-side application access, you include the app id and app secret as well (id|secret constructs the access token)
I think that the main idea behind this kind of access is to allow server-side access from the application and if the api access is done via a server script/code/web-service (and not via client-side javascript), this information remains a secret.
I guess it would be true to say that leaving this information somehow in the javascript code is not the best idea (= not safe!).
