Don't have an app yet? Follow the instructions here.
Each app comes with a client ID, client secret, and signing secret.
As the app developer, you should make sure the client secret and signing secret are not shared or commited to public repositories.
Client ID and Secret
The client ID and client secret can be used to generate a bot access token or an access token that impersonates a member. The bot access token can perform all actions that a community admin can perform. The member access token has the same permission as the impersonated member.
You can learn more about generating access token using the client ID and secret under Perform API Request section.
Tribe uses the signing secret to sign all webhook requests. This can be used on your side to confirm the requests are coming from Tribe. You can learn more about verifying webhook requests here.
Not verifying webhook requests will let third parties misuse your webhook endpoint by faking POST requests and can be dangerous.