We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.
Forum Discussion
Hidding app_key and app_secret inside a possible desktop app
I have build a desktop app that will be distributed to any user who likes to use it. How do I use the core api (with python) to hide the both keys assigned by Dropbox for the app I made?
Seems to ...
Steve M.
Dropbox Staff
Dropbox StaffYou're right that the app key is public information, and someone can use that together with the implicit flow to impersonate your app. If you're building a pure server-side app, you can disable the implicit flow to prevent this, but otherwise, this is simply how OAuth works. (This security model is not specific to Dropbox.)
To use the implicit flow with Python, you would have to do the OAuth flow yourself, but once you have an access token, you can use the SDK as-is. You're right that to take someone through OAuth in a desktop app, you would typically embed an in-app browser, run a local webserver, or register a custom URI scheme on the client. Of those options, we generally recommend embedding a browser. As an alternative, you could use the native browser and just redirect to a page that displays the token and asks the user to copy/paste it into the app. This is obviously not as smooth of a user experience, but you may find the redirect URI https://www.dropbox.com/1/oauth2/display_token helpful for this purpose.
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
