How important is it to keep the oauth_token safe from prying eyes? For instance, should I avoid passing it around in javascript and keep it solely in php-land or is it fairly harmless to use it as is convenient? I'm trying to figure what nefarious things a user could do with it but beyond manually replying to their requests and looking up their own information it seems like it would be fairly harmless.
The oauth_token gives access to the account the token is bound to [1]. So it must be kept secret from anyone other that the owner of the account (and can be disclosed to him).
[1] Facebook uses OAuth2, and the access_token alone allows to use the API, without OAuth consumer key / secret.