When you register your app, you will get a Token collection that identify your app in topoos (CLIENT_ID and CLIENT_SECRET) and others tokens that let you get start quickly (APPTOKEN_ADMIN and APPTOKEN_USER).
All those tokens must be obfuscated and should be safe, avoiding as far as possible that a user or malware can get them. This is especially important in the case of CLIENT_SECRET and APPTOKEN_ADMIN: you must let them to be revealed or published and you must kept them secret.
If some kind of malware access this information could impersonate your app.
Others token must be also protected.