Is linking necessary to download files?

[Cross-linking for reference: https://stackoverflow.com/questions/34603685/how-to-download-files-to-app-from-app-folder-without-linking-an-account-via-drop ]

Based on the additional information you posted in your StackOverflow question, it sounds like you just want your app to connect to your own Dropbox account, as opposed to the accounts of your end-users.

The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. However, it is technically possible to connect to just one account. The SDKs don't offer explicit support for it and we don't recommend doing so, for various technical and security reasons.

However if you did want to go this route, instead of kicking off the authorization flow, you would use an existing access token for your account and app. (Just be careful not to revoke it, e.g. via https://www.dropbox.com/account/security .) Also, note that while embedding an access token isn't great, you definitely shouldn't embed your username and password.

For reference, here are some other similar questions on StackOverflow where I've posted answers:

https://stackoverflow.com/questions/15014001/allow-dropbox-api-to-access-my-account-on-users-device
https://stackoverflow.com/questions/27834922/auto-login-dropbox-account-on-core-api-without-login-prompt

Thank you so much! I looked through your previous answers and I think I got it. I'll try implementing it when I get home. I saw that you cited security concerns. I would of course only be downloading non-personal PDFs and Word documents. (Informational packets and forms)

There wouldn't be any problem getting my app approved to the App Store would there? Also, are there any alternate solutions that would allow me to check each file individually in a folder and only download it if it has been updated?

My goal is to check every file in the folder and decide whether or not download it without explicitly knowing what the file is. (So I can add and remove files from the folder if needed) That's why I was straying away from explicit share links.

No problem. To elaborate a bit on the security concerns, note that client-side applications can't keep secrets, meaning that any access token stored in a distributed app could be extracted directly, or sniffed in transit. That means that a malicious user could get the access token, and use it to access the Dropbox API directly, bypassing any access controls your app attempted to enforce. They could even replace the files with other data, or revoke the access token entirely, breaking the integration for all of your users.

Anyway, I can't speak to any concerns with getting your app on the App Store. You'd have to refer to Apple for that.

Using the API would certainly be a useful way to download files and watch for when they change. As an alternative, you could use the etag header value returned on shared links, but that's not officially documented.

Do you know of any way to encrypt the access key that would fit the way I'm using it?

There are any number of ways obfuscate or encrypt it, but it's impossible to actually protect a secret in a client-side application. (E.g., if you encrypt it, the encryption key eventually needs to be on the device too, and so can be similarly stolen, etc.) No matter what, an attacker could extract the secret from the app. Or, even if the access token is encrypted at rest, they could just perform a man in the middle attack and pull the access token out as it goes over the network when making actual API calls.

Okay, I'll figure that out. I know how to get my access token. How do I retrieve my access token secret or is it just the app secret?

Also where can I find my user id?

The access token secret is not the same thing as the app secret.

If you're using OAuth 1, the access token secret is the "oauth_token_secret" returned by /oauth/access_token.

If you're using OAuth 2, the access token is just one string, and doesn't have a separate "secret" portion.

You can get your user ID from the account information API call (/account/info on v1, or /users/get_current_account on v2).

Can you explain how to use /oauth/access_token and /account/info and /users/get_current_account? I also don't know how to tell if I'm using Oauth 1 or 2 and V1 or V2. I apologize as I am somewhat new to all that.