Why does OAuth include both an access token and an access token secret?


On an successful OAuth, an access token and access token secret is generated. The access token secret is never transmitted to the provider. Instead, the client transmits the access token with the request, and it use the access token secret to sign(encrypt) the request. That is why you need both one to identify the client, and other to secure the transmission of the request. On the provider side they do the reverse, use the access token secret to encrypt the request and value the access token and provide the access the to service.