How sensitive are the app key and app secret?

Question

It's all in the title really, what can someone achieve with my app key and app secret? The api needs to be authenticated against a user to access data. What are possible bad outcomes of a compromised app secret and key?

Thanks!

Greg-DB · Answer

The app key and secret identify your app, and are used during the OAuth app authorization flow. They do not themselves offer access to any user data.
&nbsp;
A leaked app key/secret pair would allow someone to:- impersonate your app (e.g.,&nbsp;initiate the OAuth app authorization flow for your app). The potential here is limited though because they would not be able to register their own redirect URIs for your app.- send bogus but correctly signed webhook notifications (since Dropbox signs real&nbsp;webhooks notificaitons using the app secret).
&nbsp;
A leaked app key/secret pair itself would not allow someone to access user data however, as that requires an actual access token.

Forum Discussion

How sensitive are the app key and app secret?

1 Reply

About Dropbox API Support and Feedback

Related Content

Simple Node script not working with clientId /secret

Using refresh token without client secret

API secret in dropbox.oauth.DropboxOAuth2FlowNoRedirect and redistribution

Can I ask Dropbox to remove a sensitive file?

Accidentally uploaded a very sensitive file

Recent Discussions

Classic ASP read folder for https file links.

Can't upload branding logo for app

Failed to Load Request Error when using Chooser API

list_folder is not returning media info

Receiving errors from Dropbox API