I\'ve written a simple piece of code using Dropbox API, which implies usage of APP_KEY and APP_SECRET of my app. Let\'s suppose someone wants to use my app too. I create a
The way I see it, the app key and secret should identify your instance/release of the app, not the code itself. So, if you want to release the code itself, e.g., on github, the app key and secret shouldn't be included. (One way to do this would be to keep them in a config file that the app would read from, but don't include the config file in the public repo.)
Then, when you release your app (i.e., to end users for general use), it can include the app key and secret embedded inside, not plainly visible to the users. Of course, the specifics here are a bit of a judgment call, based on the scenario. For example, non-compiled apps (e.g., shell scripts) by default make the source available in plain text, even when "released", so you'll probably not want to include them.
But alternatively, if any other developers wanted to use the code and build the app themselves (from source), they should register and use their own app key/secret.
You can encode your key using Dropbox API Key Encoder and use dropbox.js to decode it. That way you do not need to expose your secret key
I'm using the Figaro Gem to hide my Dropbox secret keys: https://github.com/laserlemon/figaro