Yes, the Dropbox "app key" is the "client ID" from the OAuth 2 spec, and is not considered secret. Here are several resources regarding OAuth 2 security and best practices that may be a helpful reference: https://datatracker.ietf.org/doc/html/rfc6819
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
https://www.oauth.com/oauth2-servers/authorization/security-considerations/
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
https://www.oauth.com/oauth2-servers/authorization/security-considerations/