After the Twitter oauth process, once I finally get my access_token_key and access_token_secret is it safe to store these in a javascript variable client side?
As far as I can work out nothing can be done with these keys without the consumer_key/consumer_secret?
Basically to avoid storing anything in the session if I need to make another API call.
As with all security considerations it helps to be clear about who you are defending and who you are defending against. Your clients are fairly safe in this environment though perhaps they could mess with you a bit. Someone could write another twitter client and that client could pretend to be your client. If it misbehaves and Twitter bans it, you could be banned as collateral. This assumes that the Twitter API calls are being made client side so the client needs to have enough information to act on your behalf (from Twitters perspective). If you make all API calls server side and don't share your access codes then nobody can modify your client or impersonate it.
If it makes you feel better most twitter clients have this problem...
