<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Proper way of handling APP KEY and APP SECRET in Dropbox API Support &amp; Feedback</title>
    <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Proper-way-of-handling-APP-KEY-and-APP-SECRET/m-p/410478#M22214</link>
    <description>&lt;P&gt;Hi there, as per the title, if my application is to be shipped to the customer, how am I supposed to properly handle the use of APP_KEY and APP_SECRET in the app itself for authentication?&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Currently, it is encoded in a base64 string and stored within the application itself and included in the headers. However, the user can relatively easily retrieve it if they want and impersonate my app.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;What would be the proper way of handling these information. Do I encrypt the base64 encoded string and store it in my app? Do I not include these in the app itself and find another way to obtain the APP_KEY and APP_SECRET?&lt;/P&gt;</description>
    <pubDate>Wed, 15 Apr 2020 20:29:09 GMT</pubDate>
    <dc:creator>robobooga</dc:creator>
    <dc:date>2020-04-15T20:29:09Z</dc:date>
    <item>
      <title>Proper way of handling APP KEY and APP SECRET</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Proper-way-of-handling-APP-KEY-and-APP-SECRET/m-p/410478#M22214</link>
      <description>&lt;P&gt;Hi there, as per the title, if my application is to be shipped to the customer, how am I supposed to properly handle the use of APP_KEY and APP_SECRET in the app itself for authentication?&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Currently, it is encoded in a base64 string and stored within the application itself and included in the headers. However, the user can relatively easily retrieve it if they want and impersonate my app.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;What would be the proper way of handling these information. Do I encrypt the base64 encoded string and store it in my app? Do I not include these in the app itself and find another way to obtain the APP_KEY and APP_SECRET?&lt;/P&gt;</description>
      <pubDate>Wed, 15 Apr 2020 20:29:09 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Proper-way-of-handling-APP-KEY-and-APP-SECRET/m-p/410478#M22214</guid>
      <dc:creator>robobooga</dc:creator>
      <dc:date>2020-04-15T20:29:09Z</dc:date>
    </item>
    <item>
      <title>Re: Proper way of handling APP KEY and APP SECRET</title>
      <link>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Proper-way-of-handling-APP-KEY-and-APP-SECRET/m-p/410507#M22215</link>
      <description>&lt;P&gt;The app key is considered public and does not need to be protected. The app secret should ideally be kept private though.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;For server-side apps, such as web apps, this is possible since the app secret can be kept on the server only. In client-side apps, it's not possible to secure secrets unfortunately. Instead, you can avoid including the app secret entirely. For client-side apps, you can use the OAuth 2 "token" flow, which doesn't require the use of the app secret. You can find more information on that in &lt;A href="https://www.dropbox.com/developers/documentation/http/documentation#authorization" target="_self"&gt;the Dropbox OAuth 2 documentation&lt;/A&gt;.&lt;/P&gt;</description>
      <pubDate>Wed, 15 Apr 2020 20:34:59 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Proper-way-of-handling-APP-KEY-and-APP-SECRET/m-p/410507#M22215</guid>
      <dc:creator>Greg-DB</dc:creator>
      <dc:date>2020-04-15T20:34:59Z</dc:date>
    </item>
  </channel>
</rss>

