I am currently developing an app that notifies you about new albums from artists you follow on Spotify. (because Spotify doesn’t have something like this) And for this app I use the Spotify Web API.
I would like to add this app to F-Droid but what would the best way to go about this be because I use keys from the Web API in my app.
Publish the keys in my GitHub Repo? (keys = clientId)
I’d make an API key specifically to include in the source repo, then you can have other API keys for other builds as needed. Web API keys are mostly about rate limiting and enforcing terms of service. If your API key starts getting rate limited, then you can do a few things:
prompt the user to add their own API key when the app receives HTTP 429 codes from the API
use multiple API keys for different contexts
reduce frequency of API calls in response to HTTP 429 codes
Also, it is probably worth doing some very simple encoding to prevent automated web scrapers from downloading the API key. Just use base64, rot13, base32, etc. and store it in a file in that form, then when the code loads it, its just a simple, easily understood transformation. I think there is a near zero chance that there are people with enough skills to read Java reading through projects to find API keys that they could just get for free directly from the provider.
For the Spotify API to work I need to add the SHA1 fingerprint to my registered spotify developer app. Otherwise it won’t work.
Is it possible to get the SHA1 fingerprint that F-Droid uses or not? I feel like it is not possible as this would be a security issue.
@maracuja-juice My server had a hardware crash, which is why the repo isn’t available since last weekend. I hope it will be back this week, provider is working on it. Sorry for the inconvenience. Once it’s back, this would be the place to make your request.