I am testing this in Postman. Calling GET link
I am using Firebase auth to OAuth login using twitter. This allows me obtain user access token and access secret.
I wanted to make an API call in the client to retrieve current users statuses on user timeline. however by just access token and access secret I get an 400 error status with code 215(bad auth data). If I include app consumer key and consumer secret the API GET request works. But this limits me to make the call on my server because the consumer secret is exposed. Is this the only way? or am I missing something?
Yes, you need all 4, otherwise the access token/secret can be stolen and anyone can access that account on your behalf. So your calls need to be like this:
Client => Server => Twitter
Twitter=> Server => Client