Forum Discussion

Explorer | Level 3

8 years ago

Can app key be published?

In APIv1, there was an app secret and app key, but in APIv2 I only seem to need the app key. Is the app key something that needs to be kept secret? Can I safely publish the app key in the open source...

API

Greg-DB
8 years ago
When using the OAuth 2 "token" flow, only the app key is necessary and the app secret isn't used. In the "code" flow, both the app key and secret are necessary. You can find more information on the different OAuth 2 flows in the documentation here:

https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize

Our general guidance is that when you're releasing your app to be used by users, you can certainly embed your key in the app, so that the app will work and let them link it to their accounts without any additional work.

On the other hand, if you release the code itself, for example on GitHub, etc., you don't recommend including your app key. This way, if anyone forks the code (in essence, making their own version of the app), they will have to get their own app key. That lets the Dropbox API distinguish between the different versions of the apps, and in case one of them misbehaves, any action taken will only affect the one misbehaving version.

Greg-DB

Dropbox Staff

8 years ago

When using the OAuth 2 "token" flow, only the app key is necessary and the app secret isn't used. In the "code" flow, both the app key and secret are necessary. You can find more information on the different OAuth 2 flows in the documentation here:

https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize

Our general guidance is that when you're releasing your app to be used by users, you can certainly embed your key in the app, so that the app will work and let them link it to their accounts without any additional work.

On the other hand, if you release the code itself, for example on GitHub, etc., you don't recommend including your app key. This way, if anyone forks the code (in essence, making their own version of the app), they will have to get their own app key. That lets the Dropbox API distinguish between the different versions of the apps, and in case one of them misbehaves, any action taken will only affect the one misbehaving version.

About Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

5,877 PostsLatest Activity: 4 hours ago

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!

Forum Discussion

Can app key be published?

About Dropbox API Support & Feedback

Related Content

Re: How can I delete the Dropbox desktop app and only use the online version?

Re: The Dropbox app doesn't launch automatically every time I restart my Win11 computer.

Files in Mobile Apps Not Syncing

Re: Can I share folders with my clients and not have them pay for extra Dropbox storage?

Re: I got this email "Please don't ignore: Your setup isn't complete" for my existing Dropbox account.

Recent Discussions

Trying to download a file, but no file is being downloaded.

Dropbox internal error occured - Resolution

How to add the entire team to team folder by api

API Upload .HEIC and convert to JPG

Invalid Folder Name with Team API