Your workflow is unique 👨💻 - tell us how you use Dropbox here.
Forum Discussion
OAuth2 public app key security
I'm just in the process of updating a few things and wanted to clarify how things are handled in terms of OAuth2 (and specifically, in this case, Android).
Basically it's my understanding that the ...
Greg-DB
Dropbox Community Moderator
Dropbox Community ModeratorIt sounds like you already have a pretty good handle on this, and (as you mentioned) since this is more about OAuth 2 itself, as opposed to Dropbox, there are likely plenty of good resources available online for more reading.
To add a few points and address your questions though, the app key does get exposed publicly, but the app key isn't considered a secret value, so this is fine and expected. The app secret, on the other hand, doesn't need to be exposed. If an attacker has your app key though, they can initiate an OAuth 2 app authorization flow, impersonating your app, but note that if they only have the key, they can only use the "token" a.k.a. "implicit" OAuth 2 flow, which requires a pre-registered redirect URI. Redirect URIs can only be set from your developer account via the App Console. You can find some more information in the documentation under /oauth2/authorize.
We also have an OAuth guide that may be helpful.
Finally, apps that don't need to use the implicit a.k.a token flow, e.g., purely server-side apps, can disable it via the App Console.
About Dropbox API Support and Feedback
Get help with the Dropbox API from fellow developers and experts.
