What's the difference between using a "test token" and the "client secret"

[santiyounger]

Hey my name is Santi, thanks for making such an awesome plugin. I might cover this plugin in the future in my YouTube channel but I definitely want to make sure I understand set-up properly if I'm gonna teach it on a video

This is what I found in the readme

To get set up, generate a Raindrop API access token from the Settings > Integrations page. Use the Test Token as your API access token -- or walk through the entire OAuth flow, if that's your preference.

What's the difference between using a "test token" and the "client secret"?

I'm not too familiar with the difference here, and would love to know if using the "client secret" instead of "test token" is a bad idea. Or if using test token is the best way to go in general?

I appreciate any guidance, to make sure I pass on this info correctly

Thanks a lot!

[phildenhoff]

Hi Santi, that's a good question! Client secrets are a thing you'd use when you want to set up a real app for other people, so that they can tell Raindrop that you are allowed to act on their behalf. It's part of a whole thing called "OAuth" (there are similar things) and it's a bit of a hassle just for us to set up our own Logseq-Raindrop connections.

The client secret is shared between your app and Raindrop and allows Raindrop to make sure that when you say "I'm me, and I want to act on this users behalf" that you're really you, so they ask you for something only you would know (your secret)! At that point, Raindrop says "here is a token that you can use to act on the users behalf". That token expires every two weeks, so occasionally you have to get a new one (usually called something like a "token refresh").

However, we can skip that whole process by asking Raindrop to just make a test token for us, as if we had done the whole OAuth flow, giving our new app permission to act on the behalf of our current user. It also doesn't expire. That test token is what we want to use in the logseq-raindrop settings menu.

---

In terms of "why did I go this route, requiring everyone to set up their own app, instead of setting up my own app and doing it for you" (a question I know you didn't ask), as the maintainer of the plugin, I don't want to actually store anyone else's tokens. That means you'd be reliant on me for the Logseq—Raindrop connection to work, and I don't think anyone wants that. That can be really handy if you want to automate a connection, but it's not great for plugins like this.

Let me know if that you have any other questions, otherwise I'll close your issue this weekend

[santiyounger]

Hey Phil,

Perfect explanation, happy to hear you found a way to have the best of both worlds: privacy for the user, and no need to renew secret token every 2 weeks. Makes perfect sense and I think it was a good decision to set it up the way you did

Thanks a lot