You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.

Forum Discussion

jorgenpt's avatar
jorgenpt
Explorer | Level 3
8 years ago

Can app key be published?

In APIv1, there was an app secret and app key, but in APIv2 I only seem to need the app key. Is the app key something that needs to be kept secret? Can I safely publish the app key in the open source repository for my application?

  • When using the OAuth 2 "token" flow, only the app key is necessary and the app secret isn't used. In the "code" flow, both the app key and secret are necessary. You can find more information on the different OAuth 2 flows in the documentation here:

     

    https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize

     

    Our general guidance is that when you're releasing your app to be used by users, you can certainly embed your key in the app, so that the app will work and let them link it to their accounts without any additional work.

     

    On the other hand, if you release the code itself, for example on GitHub, etc., you don't recommend including your app key. This way, if anyone forks the code (in essence, making their own version of the app), they will have to get their own app key. That lets the Dropbox API distinguish between the different versions of the apps, and in case one of them misbehaves, any action taken will only affect the one misbehaving version.

  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Staff rankDropbox Staff

    When using the OAuth 2 "token" flow, only the app key is necessary and the app secret isn't used. In the "code" flow, both the app key and secret are necessary. You can find more information on the different OAuth 2 flows in the documentation here:

     

    https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize

     

    Our general guidance is that when you're releasing your app to be used by users, you can certainly embed your key in the app, so that the app will work and let them link it to their accounts without any additional work.

     

    On the other hand, if you release the code itself, for example on GitHub, etc., you don't recommend including your app key. This way, if anyone forks the code (in essence, making their own version of the app), they will have to get their own app key. That lets the Dropbox API distinguish between the different versions of the apps, and in case one of them misbehaves, any action taken will only affect the one misbehaving version.

About Dropbox API Support & Feedback

Node avatar for Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

5,911 PostsLatest Activity: 9 hours ago
333 Following

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!