Quick Tip – OAuth Client App Parameters | Salesforce Developers Blog

As explained in Digging Deeper into OAuth 2.0 on Force.com, OAuth client applications have a client id (aka consumer key) and (optionally) a client secret (aka consumer secret), which the app uses to identify itself to an authorization server (in our case, typically login.salesforce.com). It's tempting to put these, and similar parameters such as API user credentials, directly in your code (after all, who else is going to see your code?), but I'm here to tell you NO!!!

Yes, I've been guilty of this sin in the past, but a much better approach is to put configuration parameters in environment variables. The benefits are that you can push your code to public repositories without having to remember to remove your secrets, you don't have to load and parse a config file just for the sake of a handful of strings, and your app will work well on Heroku, where best practice is to use environment variables, set via heroku config.

Go grep 3MVG9 * in your source directory to find Force.com OAuth client ids (all the client ids I've seen have this prefix) and rip 'em out!

Stay up to date with the latest news from the Salesforce Developers Blog