cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can app key be published?

Labels:

Can app key be published?

jorgenpt
Explorer | Level 3
‎06-23-2017 12:16 AM
Go to solution

In APIv1, there was an app secret and app key, but in APIv2 I only seem to need the app key. Is the app key something that needs to be kept secret? Can I safely publish the app key in the open source repository for my application?

Labels:
  • 0 Likes
  • 1 Replies
  • 1,750 Views
0 Likes
1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
‎06-23-2017 01:30 PM
Go to solution

When using the OAuth 2 "token" flow, only the app key is necessary and the app secret isn't used. In the "code" flow, both the app key and secret are necessary. You can find more information on the different OAuth 2 flows in the documentation here:

 

https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize

 

Our general guidance is that when you're releasing your app to be used by users, you can certainly embed your key in the app, so that the app will work and let them link it to their accounts without any additional work.

 

On the other hand, if you release the code itself, for example on GitHub, etc., you don't recommend including your app key. This way, if anyone forks the code (in essence, making their own version of the app), they will have to get their own app key. That lets the Dropbox API distinguish between the different versions of the apps, and in case one of them misbehaves, any action taken will only affect the one misbehaving version.

View solution in original post

0 Likes
1 Reply 1

Greg-DB
Dropbox Staff
‎06-23-2017 01:30 PM
Go to solution

When using the OAuth 2 "token" flow, only the app key is necessary and the app secret isn't used. In the "code" flow, both the app key and secret are necessary. You can find more information on the different OAuth 2 flows in the documentation here:

 

https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize

 

Our general guidance is that when you're releasing your app to be used by users, you can certainly embed your key in the app, so that the app will work and let them link it to their accounts without any additional work.

 

On the other hand, if you release the code itself, for example on GitHub, etc., you don't recommend including your app key. This way, if anyone forks the code (in essence, making their own version of the app), they will have to get their own app key. That lets the Dropbox API distinguish between the different versions of the apps, and in case one of them misbehaves, any action taken will only affect the one misbehaving version.

0 Likes
Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
What do Dropbox user levels mean?