Yes, the Dropbox "app key" is the "client ID" from the OAuth 2 spec, and is not considered secret. Here are several resources regarding OAuth 2 security and best practices that may be a helpful reference: datatracker.ietf.org/doc/htm… datatracker.ietf.org/doc/htm… oauth.com/oauth2-servers/aut…