Forum Discussion

David B.37's avatar
David B.37
Explorer | Level 4
10 years ago

Safely expose credentials to JavaScript client?

I'm building an application with Dropbox that allows the user to log in with Dropbox using OAuth 2. I've made an app on Dropbox, put the app key and app secret into my application code, and I can suc...
API
Greg-DB's avatar
Greg-DB
Icon for Dropbox Community Moderator rankDropbox Community Moderator
10 years ago

Hi David, it sounds like you have a good handle on this already. In order to make an API call, the client (in this case, the browser) needs the access token. Fundamentally though, client-side apps, (such as in a browser) can't keep secrets. 

That means that the access token would be exposed to the users, compromising your account. Unfortunately, there isn't a good way to do this without proxying the requests through your server. (And just to be clear, this is only a problem in the case where you only want to connect to your own account for all users. In the normal case, where users only connect to their own accounts, this is fine since they'd only have their own access tokens anyway.)

About Dropbox API Support & Feedback

Node avatar for Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.

The Dropbox Community team is active from Monday to Friday. We try to respond to you as soon as we can, usually within 2 hours.

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X, Facebook or Instagram.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!