Keeping tokens and credentials secure is important when developing your applications and distributing those applications to the world.
These two pieces of information is provided when you register your application with Luxstay.
The Client ID is used to identify your application and usually appears in OAuth authorization URLs. The Client ID and be shared publicly in code and other contexts because this value alone cannot be used to act on your application's behalf.
Your Client Secret, on the other hand, should be kept privately and securely. It is used to identify your application's rights when exchanging tokens with Luxstay. You should not distribute the Client Secret via code, email, or any other public channels.
Access tokens are usually short-lived (short TTL), they should be expired frequently and re-obtained using refresh token. We provided the endpoint for refreshing access tokens.
Redirect URIs appear as URLs and usually used in some authorization grant like Authorization Code. They are safe to be part of published code. However, you should ensure that the redirect URIs defined in you applications are limited to domains you have direct control.
Token storing is hard, and it depends on the context, usage and design requirements.
Other security advice to consider: