I don't normally do "web programming", but now that I have to do some of it, I have to ask: how did this end up being the security standard? (OAuth 2.0, example from PayPal's API)pic.twitter.com/nHXqajAiej
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
If instead you passed merely a signature of the request signed using the secret, then any breach leaks only the specific token, and not the entire client authority.
This is actually a non-trivial difference, unless I am missing something. For example, you could put the signing in a secure enclave, and then it would be protected, and still fast since only the signing must operate securely.
But with the OAuth model, you would have to put the entire application in a secure enclave, from the storage right on down to the part where the HTTPS packet gets encoded, which seems terrible for performance.
It's ok it's base64 encrypted.
This is fairly standard for web APIs, driving factor being easy of use. Secrets are usually stored in environment variables or requested from a secure store.
Ease*
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.