<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic How sensitive are the app key and app secret? in Dropbox API Support &amp; Feedback</title>
    <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/How-sensitive-are-the-app-key-and-app-secret/m-p/289907#M17749</link>
    <description>&lt;P&gt;It's all in the title really, what can someone achieve with my app key and app secret? The api needs to be authenticated against a user to access data. What are possible bad outcomes of a compromised app secret and key?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thanks!&lt;/P&gt;</description>
    <pubDate>Wed, 29 May 2019 09:11:08 GMT</pubDate>
    <dc:creator>rstokes</dc:creator>
    <dc:date>2019-05-29T09:11:08Z</dc:date>
    <item>
      <title>How sensitive are the app key and app secret?</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/How-sensitive-are-the-app-key-and-app-secret/m-p/289907#M17749</link>
      <description>&lt;P&gt;It's all in the title really, what can someone achieve with my app key and app secret? The api needs to be authenticated against a user to access data. What are possible bad outcomes of a compromised app secret and key?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thanks!&lt;/P&gt;</description>
      <pubDate>Wed, 29 May 2019 09:11:08 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/How-sensitive-are-the-app-key-and-app-secret/m-p/289907#M17749</guid>
      <dc:creator>rstokes</dc:creator>
      <dc:date>2019-05-29T09:11:08Z</dc:date>
    </item>
    <item>
      <title>Re: How sensitive are the app key and app secret?</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/How-sensitive-are-the-app-key-and-app-secret/m-p/289920#M17752</link>
      <description>&lt;P&gt;The app key and secret identify your app, and are used during the OAuth app authorization flow. They do not themselves offer access to any user data.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;A leaked app key/secret pair would allow someone to:&lt;BR /&gt;- impersonate your app (e.g.,&amp;nbsp;initiate the OAuth app authorization flow for your app). The potential here is limited though because they would not be able to register their own redirect URIs for your app.&lt;BR /&gt;- send bogus but correctly signed webhook notifications (since &lt;A href="https://www.dropbox.com/developers/reference/webhooks" target="_blank"&gt;Dropbox signs real&amp;nbsp;webhooks notificaitons using the app secret&lt;/A&gt;).&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;A leaked app key/secret pair itself would not allow someone to access user data however, as that requires an actual access token.&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 09 Aug 2018 16:08:10 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/How-sensitive-are-the-app-key-and-app-secret/m-p/289920#M17752</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2018-08-09T16:08:10Z</dc:date>
    </item>
  </channel>
</rss>

