I own a website that has an API - every service that wants to use this API must have an API key and a Secret and the active user must have a cookie of my site.
Let's say someone wants to develop an app using JQtouch and my API - the problem is that JQtouch is "client-side" - meaning that EVERYONE can discover the API key and Secret and create a new JQtouch app that will easily exploit every user that holds a COOKIE of my site. (for example, creating a button that will delete all users content...)
How can I solve it? How does facebook solve that problem?...