How to add an app to F-Droid that uses Web Api Secrets

Hello guys

I am currently developing an app that notifies you about new albums from artists you follow on Spotify. (because Spotify doesn’t have something like this) And for this app I use the Spotify Web API.
I would like to add this app to F-Droid but what would the best way to go about this be because I use keys from the Web API in my app.
Publish the keys in my GitHub Repo? (keys = clientId)

If it’s a public key, you can, if it’s a private => no

From the inclusion policy:

F-Droid does not sign up for any API keys.

API key should be either in source code or in F-Droid build recipe. In both cases it’s visible to everyone.

I’d make an API key specifically to include in the source repo, then you can have other API keys for other builds as needed. Web API keys are mostly about rate limiting and enforcing terms of service. If your API key starts getting rate limited, then you can do a few things:

  • prompt the user to add their own API key when the app receives HTTP 429 codes from the API
  • use multiple API keys for different contexts
  • reduce frequency of API calls in response to HTTP 429 codes
1 Like

Also, it is probably worth doing some very simple encoding to prevent automated web scrapers from downloading the API key. Just use base64, rot13, base32, etc. and store it in a file in that form, then when the code loads it, its just a simple, easily understood transformation. I think there is a near zero chance that there are people with enough skills to read Java reading through projects to find API keys that they could just get for free directly from the provider.

1 Like

Or you can ask users to insert their own key

An alternative could be to ask for inclusion in the the f-droid app repository at maintained by @Izzy

Thanks for the answers. I think Spotify clientId is a public key so I can put it into source control.

@k3b That site isn’t available (at least for me)

For the Spotify API to work I need to add the SHA1 fingerprint to my registered spotify developer app. Otherwise it won’t work.
Is it possible to get the SHA1 fingerprint that F-Droid uses or not? I feel like it is not possible as this would be a security issue.

@maracuja-juice My server had a hardware crash, which is why the repo isn’t available since last weekend. I hope it will be back this week, provider is working on it. Sorry for the inconvenience. Once it’s back, this would be the place to make your request.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.