I don't have any conclusive answers for you. This question gets raised here on the forum every year or 2. I don't think eBay has given any real solid advice on this topic, so use your best judgement. I'm not sure about legal ramifications of exposing your AppID in client-side scripting. I'd generally recommend this: If your AppID hasn't been approved (and you plan to NOT get it approved) via a Compatible Application Check (CAC), you're probably OK stepping forward and distributing your AppID in your client app. It'll have max= 5K calls/day total (across all clients), and any possible abuse applied on that AppID will be limited because of that. Hopefully that's good enough security for you and eBay, at that kind of calling volume. If you decide to upgrade your AppID/account to 1.5M calls/day via the CAC, then DON'T distribute your AppID and instead keep it private. (This decision needs to be made in advance, or perhaps you can open a 2nd eBay Dev account for CAC.) If you're getting that much use (or abuse) on your app to warrant needing that higher call rate, you should invest in a more robust solution for authenticating API calls, such as not deploying your AppID and instead retaining it server-side, and have the client app call your own server, which proxies API calls while applying needed caching, throttling, security checks, etc. Or, require your clients to each register for a free eBay Dev account, complete with 5K calls/day AppID key for just them, and they can insert their AppID into the app and free themselves upon being dependent on your AppiD (and free you from the risk of abuse). HTH.