Forum Discussion

rstokes's avatar
rstokes
New member | Level 2
7 years ago

How sensitive are the app key and app secret?

It's all in the title really, what can someone achieve with my app key and app secret? The api needs to be authenticated against a user to access data. What are possible bad outcomes of a compromised app secret and key?

 

Thanks!

  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Staff rankDropbox Staff

    The app key and secret identify your app, and are used during the OAuth app authorization flow. They do not themselves offer access to any user data.

     

    A leaked app key/secret pair would allow someone to:
    - impersonate your app (e.g., initiate the OAuth app authorization flow for your app). The potential here is limited though because they would not be able to register their own redirect URIs for your app.
    - send bogus but correctly signed webhook notifications (since Dropbox signs real webhooks notificaitons using the app secret).

     

    A leaked app key/secret pair itself would not allow someone to access user data however, as that requires an actual access token.

About Dropbox API Support & Feedback

Node avatar for Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.5,941 PostsLatest Activity: 20 hours ago
351 Following

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!