I created a self client api via the API console for my sandbox account. 

Took me a while to work everything out and then I managed to generate tokens and refresh tokens for my developers to use. 

I had to step away from my computer for half a day this weekend so the developer asked for the client ID and client secret so they can regenerate the refresh tokens. 

I've not gone to generate tokens for my production account and noticed it uses the same client ID and client secret!

I'm guessing I need to immediately change everything to be on the safe side? 

How are developers meant to work if they cannot generate their own refresh tokens?