cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Back again with another edition of 'How we use Dropbox', so find out how Emma uses to-do lists to get it all done here!

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How sensitive are the app key and app secret?

How sensitive are the app key and app secret?

rstokes
New member | Level 2

It's all in the title really, what can someone achieve with my app key and app secret? The api needs to be authenticated against a user to access data. What are possible bad outcomes of a compromised app secret and key?

 

Thanks!

1 Reply 1

Re: How sensitive are the app key and app secret?

Greg-DB
Dropboxer

The app key and secret identify your app, and are used during the OAuth app authorization flow. They do not themselves offer access to any user data.

 

A leaked app key/secret pair would allow someone to:
- impersonate your app (e.g., initiate the OAuth app authorization flow for your app). The potential here is limited though because they would not be able to register their own redirect URIs for your app.
- send bogus but correctly signed webhook notifications (since Dropbox signs real webhooks notificaitons using the app secret).

 

A leaked app key/secret pair itself would not allow someone to access user data however, as that requires an actual access token.

Poll
We love to learn from the educators who use Dropbox. Whether you teach kids, teens, adults or a combination of all three, we want to know what apps and integrations you use with Dropbox to help with teaching. Which of the ones below is your favorite, or most used tool?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropboxer
What do Dropbox user levels mean?
Need more support?