Use of Consumer Secret in Dropbox API

I'm was working on the Dropbox Web API and using the OAuth process. I am little bit confused here and was unable to find out exactly how things worked inspite of reading the OAuth 1.0 core. Dropbox returns to me a token key and secret key even though I do not pass my consumer secret in the Request Token call. I simply pass the consumer key/app key. Is this normal?

And I am able to get past the whole process of Request Token, Allow user to Authorize Access & Get Access Token without actually using the consumer secret key

Where do I use the consumer key in that case? I read some things about si开发者_开发技巧gning etc, but the fact that I'm able to get through makes me think I'm on the wrong path.

Thanks. It should be fairly simple for folks working heavily on OAuth 1.0

The secret is actually used to sign these requests, so you are in fact using the secret if these calls succeed. (If you're using a library, it is likely doing it for you, which is why you may not notice.)