The client secret is described as:
An optional private key that authenticates your integration when requesting an OAuth token.
You should only generate a client secret if you are requesting OAuth tokens from a server. Do not generate a client secret if you have a desktop, mobile, or web application directly issuing the OAuth token request.
Can anyone clarify why there is a difference between requesting a token from a server and from an application? Isn't using a client_secret generally more secure?
If I am creating an OAuth app that will be used by others to authenticate from different machines and possibly servers, should I add a client_secret or not?