How does rclone obfuscate client secrets?

What is the problem you are having with rclone?

I have an application I'm working on that uses rclone as it's backend to connect to things like Dropbox. I'm in the middle of applying for production status to Dropbox (as I'm wanting custom branding when I use rclone), but they're saying stuff about how my Dropbox client key shouldn't be in the source code for my application.

I saw that rclone uses an encrypted secret in the source code for the default Dropbox client, but how is rclone doing that? From what I know there's no middle-man server that authenticates to Dropbox, so how does rclone decrypt the client key without revealing it to the client?

Run the command 'rclone version' and share the full output of the command.


Which cloud storage system are you using? (eg Google Drive)


The command you were trying to run (eg rclone copy /tmp remote:tmp)


The rclone config contents with secrets removed.


A log from the command with the -vv flag


Default App/Client/IDs are in the code - they are not secret. How they could be?

You can provide your own and secure them in encrypted config file.

All those ways are just obfuscating the client key though, right? Doing an ecrypted config would be the same too, correct? (I'd still have to decrypt the config client-side since everything has to be done on the client)

It is not the same as this is encrypted and lives only on client machine. Defaults are in the code - so anybody can access them.

Having rclone binary or source code has no use for me if I would like to steal your credentials. But both of us can retrieve defaults.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.