Proper way of handling APP KEY and APP SECRET

Question

Hi there, as per the title, if my application is to be shipped to the customer, how am I supposed to properly handle the use of APP_KEY and APP_SECRET in the app itself for authentication?
&nbsp;
Currently, it is encoded in a base64 string and stored within the application itself and included in the headers. However, the user can relatively easily retrieve it if they want and impersonate my app.&nbsp;
&nbsp;
What would be the proper way of handling these information. Do I encrypt the base64 encoded string and store it in my app? Do I not include these in the app itself and find another way to obtain the APP_KEY and APP_SECRET?

Greg-DB · Answer

The app key is considered public and does not need to be protected. The app secret should ideally be kept private though.
&nbsp;
For server-side apps, such as web apps, this is possible since the app secret can be kept on the server only. In client-side apps, it's not possible to secure secrets unfortunately. Instead, you can avoid including the app secret entirely. For client-side apps, you can use the OAuth 2 "token" flow, which doesn't require the use of the app secret. You can find more information on that in the Dropbox OAuth 2 documentation.

Forum Discussion

Proper way of handling APP KEY and APP SECRET

1 Reply

About Dropbox API Support & Feedback

Related Content

What's the correct way to handle expired access token

Why was the way screenshots were handled changed?

Simple Node script not working with clientId /secret

SVG Files Rendering Black Shapes Instead of Proper Thumbnails

Invalid OAuth token handling

Recent Discussions

Shared Link - Download in .NET

Dropbox API server root certificate changes for .Net

GetCurrentAccountAsync API Failing for some Team Members while using Impersonation

Find DBID on Local PC

How to replace a non-existent permanent token? Any auto-refresh alternative for automation?