Is the client secret that Beeminder gives you when you create a new OAuth app ever used for anything at all?
When you create a new app, Beeminder tells you
Hey! This is important - store this client secret somewhere safe. We don’t store it in plain text, so after your session ends you’ll need to generate another one if you don’t have it stored somewhere.
This is at least claiming that the client secret is important. But if it is, it’s not documented very well. As far as I can see, the API documentation doesn’t mention the client secret at all.
(Also—the aforementioned message references the possibility of regenerating the client secret if it is lost. That’s not actually possible, as far as I can tell.)
A somewhat related bug—if I try to register an OAuth app, and I leave off the protocol from the redirect URL (e.g.
example.com instead of
https://example.com), submitting the form fails silently (with no indication of what the problem is.)
(You also get that same silent failure if you leave the name field or redirect URL field blank.)