We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.

Forum Discussion

jorgenpt's avatar
jorgenpt
Explorer | Level 3
8 years ago

Can app key be published?

In APIv1, there was an app secret and app key, but in APIv2 I only seem to need the app key. Is the app key something that needs to be kept secret? Can I safely publish the app key in the open source repository for my application?

API
  • Greg-DB's avatar
    Greg-DB
    8 years ago

    When using the OAuth 2 "token" flow, only the app key is necessary and the app secret isn't used. In the "code" flow, both the app key and secret are necessary. You can find more information on the different OAuth 2 flows in the documentation here:

     

    https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize

     

    Our general guidance is that when you're releasing your app to be used by users, you can certainly embed your key in the app, so that the app will work and let them link it to their accounts without any additional work.

     

    On the other hand, if you release the code itself, for example on GitHub, etc., you don't recommend including your app key. This way, if anyone forks the code (in essence, making their own version of the app), they will have to get their own app key. That lets the Dropbox API distinguish between the different versions of the apps, and in case one of them misbehaves, any action taken will only affect the one misbehaving version.

  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Staff rankDropbox Staff
    8 years ago

    When using the OAuth 2 "token" flow, only the app key is necessary and the app secret isn't used. In the "code" flow, both the app key and secret are necessary. You can find more information on the different OAuth 2 flows in the documentation here:

     

    https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize

     

    Our general guidance is that when you're releasing your app to be used by users, you can certainly embed your key in the app, so that the app will work and let them link it to their accounts without any additional work.

     

    On the other hand, if you release the code itself, for example on GitHub, etc., you don't recommend including your app key. This way, if anyone forks the code (in essence, making their own version of the app), they will have to get their own app key. That lets the Dropbox API distinguish between the different versions of the apps, and in case one of them misbehaves, any action taken will only affect the one misbehaving version.

About Dropbox API Support & Feedback

Node avatar for Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

5,877 PostsLatest Activity: 2 hours ago
325 Following

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!

Related Content