Last.fm client application: How should secrets be handled

Last.fm client application: How should secrets be handled

I am creating a browser(chrome) extension that will serve as a youtube-music last-fm scrobbler(detect songs and send them to last.fm).

I created a last.fm application(docs) which granted me

• an api key
• a shared secret

Then I followed this page that describes the steps needed to make authenticated calls.

If I understand this correctly I should

• Have a link for user to reach http://www.last.fm/api/auth/?api_key=xxx
• This link will prompt the user to allow my extension user their data
• After they accept, they will be redirected to a callback address of my application with a token query parameter
• Using this token and the apiKey and the sharedSecret I must call their auth.getSession endpoint which will grant me a sessionKey.
• Using (among others) the sessionKey and the apiKey, will allow me to make authenticated calls to last.fm API on behalf of the user(e.g. scrobble).

Problem statement:

Should I save the apiKey and sharedSecret of my application on the client side(extension code)? I need to have the user's sessionKey so I can scrobble songs for them, and the only way(I see) to get it, is to use the combination of apiKey and sharedSecret.

Extra notes

• I don't want to create a backend service that would hide this information
• Initial inspiration of this project was the cloudplayer-scrobbler which if I understood correctly has both the apiKey and sharedSecret freely available on the client
• I have the intuition that other reputable projects follow the same approach(without any backend)