Public Versus Confidential Application Flows

Public Flow

Your API key and OAuth tokens (both Limited Access and Full Access) are obfuscated yet publicly available with the technical effort that likely takes some time. Use this flow only when replay attacks are unlikely within the span of the token lifetime and when the API key and tokens are obfuscated (such as behind a decompiler). 

Confidential Flow

Your API key remains completely hidden from public view. You can obfuscate or hide OAuth Limited Access tokens from public view. OAuth Full Access token is fully hidden from the public and typically hidden via a server proxy between the application and Digital River servers.