I have some code, that works with my DropBox account via DropBox API with account access token in the code like
token="sdfdsfsdfdsfsf"
dbx = dropbox.Dropbox(token)
I plan to distribute my app with that code, but I don't know, how to protect token value - Python scripts could be easily decompiled and any other people could see my token.
How to protect token in the code, with what ways?
Thank you!
This is indeed a question worth discussing.
We always talk about how to protect our app_key or token in our source code.As a matter of fact,it's really very hard to do this.Especially in your source code which means if your program is decompiled,in any case, your app will be exposed,maybe you encrypt your app_key or token,its role is not very big.
My advice is do not put your real app_key in your source code.So the key to the problem is how to authorize?
Here are serveral plans:
You can store your encrypted key in an external file,and put it on your server or any other VPS, and load it at runtime.The program will get the encrypted key an decrypt it in your program.
Generate your unique token that has privileges for your program.Which means you should build your API key system where you can give keys to your customers.This will protect your dropbox app_key to the greatest extent possible.
IP whitelists.If you deploy your program on the server of your customers.But the premise is that your users are relatively fixed.It will be helpful if your customers are business users,otherwise they're mobile phone users,it will be a bad idea.
Use SSL to prevent hackers from capturing packets.If you want to build your own authorization verification system.To some extent this may effectively protect your interface.
Generate a a temporary token by some of your own methods,maybe you can bind app_key and timestamps together,this temporary token is privileged,but it's just privileged in a very short time.
By the way,you can consult the service provider,perhaps they have already built a set of plans.
Hope this helps.