"You put it on a server, because it’s the only place you can ensure that it stays safe."
Uh, what? If on OS X or iPhone, use Keychain. If on something else, do whatever makes sense there. There's really no need to stick it on your server, that I can see.
If the user loses it, you just generate a new one, right?
The author is not talking about the per user secret key. He is talking about a secret API key that is used to encrypt all the communications from his application. If you store that locally you run the risk of having anyone with a decompiler be able to reverse engineer your specific API key.
Wow, okay. I hadn't dug into OAuth enough to get to that point. Is there any reason the client token isn't authentication enough for the server to decide to sign the request? If the app (client+server) has control of the authentication flow, it shouldn't need another set of credentials to figure that out.
Uh, what? If on OS X or iPhone, use Keychain. If on something else, do whatever makes sense there. There's really no need to stick it on your server, that I can see.
If the user loses it, you just generate a new one, right?