Noob question: leaking oauth

Hi, I’m new.

I’m working on a simple bot that is connecting to chat via the IRC websocket. My bot only needs to read chat, so my token only has the chat:read scope.

I’m curious if there is any potential harm in leaking this oauth code.

My reasoning is that since I only need to read chat, I can use a dummy account with a limited scope token to accomplish my goal, and therefore bypass the need for anyone to authenticate their own account through my service. This is beneficial to the user experience, and also the development process, because the user will have less steps to set up, and I won’t need to use a database to store anything securely.

However, since I am new, I feel like there may be some risk involved that I am unaware of.

Has anyone done anything like this before? Is there anything that my novice mindset is overlooking?

Any information is greatly appreciated, as internet searching has returned zero results on this matter.

Thanks for your time.

Leaking your OAuth token is a violation of the developer agreement, as all OAuth tokens must be kept secret. Also if someone was to get your OAuth token they could revoke it before it expires which would prematurely kill the token, or misuse the token which would be tied to your account and app which you are responsible for.

If your app just needs to read chat you could use an anonymous connection. Just set the username to justinfan12345, and an empty password in place of an OAuth token.

1 Like

Thanks so much, that makes a lot of sense. You have been very helpful, and I appreciate it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.