Because the API can be used to access, interact with, modify, and delete metadata on Vimeo, there are some best practices developers should follow when working with their authentication tokens.
- Avoid sharing your client_secret or access_token in public or over email. Vimeo Staff members who discover access tokens or client secrets in public may revoke those credentials on our backend without notice to the owner.
- Generate tokens with only the scopes needed for your application. Omitting unnecessary scopes can help avoid any potential misuse if the token is used by an unwanted party.
- Delete tokens that are no longer needed.
- Use unauthenticated (client_credentials) or public-scope-only tokens with client-side applications where it can be easier for someone to discover your token.
- Use the token creation workflow that best suits your use case. Some workflows generate expiring tokens, while other workflows generate tokens that never expire.
In general, your authentication token should be treated like an account password; never share it, and always keep it somewhere secure.