Which keys can be revealed? I'm developing open source application using trello api in python. I have the application key which I generated from appKey/generate which I always require for initiating client. If I hard code this application key in my source code then everybody will be able to use my account. If I ask user always to enter his application key then what is the need for application token?
Every user of your open source app needs to provide its own developer key. I suggest to use a config file that he must fill before using the app.
From that page, only the first key is public, https://trello.com/app-key
But, the second one, "secret key", is secret... I don't know what is is used for for now, we only use the public key + user token.
Your data is in security even if you give your developer key, as it key doesn't allow that user to see your data, he got its own token from oauth, and that token tells that he can only interact with his own data.
We are developing a javascript app, so everyone can see our dev key in the chrome debugger, but the token is the security.
Even if your user is using your personal api_key, he is not "logged" into your trello account so he can't see anything. The "token" is the key used for security and access.
But, because your app is not hosted at your servers, but is open source and can be used by anyone, I suggest to not give your key in the app.