I've written a simple piece of code using Dropbox API, which implies usage of APP_KEY and APP_SECRET of my app. Let's suppose someone wants to use my app too. I create a github repo, push the code and so on, but, of course, I don't put APP_KEY and APP_SECRET values. Do users have to register their own instances of this application? Is there another way to deal? Maybe sharing APP_KEY and APP_SECRET is enough secure to let it be that way?

In other words, Dropbox prohibits usage of username-password pair for authenticating (while their own official app does exactly that), but I want (for example) to make a plugin for KDE's Dolphin for getting public links to files from context menu and user shouldn't even know about all these SECRETS, KEYS and so on. What should I do?

You can encode your key using Dropbox API Key Encoder and use dropbox.js to decode it. That way you do not need to expose your secret key

The way I see it, the app key and secret should identify your instance/release of the app, not the code itself. So, if you want to release the code itself, e.g., on github, the app key and secret shouldn't be included. (One way to do this would be to keep them in a config file that the app would read from, but don't include the config file in the public repo.)

Then, when you release your app (i.e., to end users for general use), it can include the app key and secret embedded inside, not plainly visible to the users. Of course, the specifics here are a bit of a judgment call, based on the scenario. For example, non-compiled apps (e.g., shell scripts) by default make the source available in plain text, even when "released", so you'll probably not want to include them.

But alternatively, if any other developers wanted to use the code and build the app themselves (from source), they should register and use their own app key/secret.

I'm using the Figaro Gem to hide my Dropbox secret keys: https://github.com/laserlemon/figaro