cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
What’s new: end-to-end encryption, Replay and Dash updates. Find out more about these updates, new features and more here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Proper way of handling APP KEY and APP SECRET

Labels:

Proper way of handling APP KEY and APP SECRET

robobooga
Explorer | Level 4
‎04-15-2020 12:47 PM

Hi there, as per the title, if my application is to be shipped to the customer, how am I supposed to properly handle the use of APP_KEY and APP_SECRET in the app itself for authentication?

 

Currently, it is encoded in a base64 string and stored within the application itself and included in the headers. However, the user can relatively easily retrieve it if they want and impersonate my app. 

 

What would be the proper way of handling these information. Do I encrypt the base64 encoded string and store it in my app? Do I not include these in the app itself and find another way to obtain the APP_KEY and APP_SECRET?

Labels:
  • 0 Likes
  • 1 Replies
  • 2,031 Views
0 Likes
1 Reply 1

Greg-DB
Dropbox Staff
‎04-15-2020 01:34 PM

The app key is considered public and does not need to be protected. The app secret should ideally be kept private though.

 

For server-side apps, such as web apps, this is possible since the app secret can be kept on the server only. In client-side apps, it's not possible to secure secrets unfortunately. Instead, you can avoid including the app secret entirely. For client-side apps, you can use the OAuth 2 "token" flow, which doesn't require the use of the app secret. You can find more information on that in the Dropbox OAuth 2 documentation.

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
What do Dropbox user levels mean?