You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
Issue in generating access token
Hello, I faced many issues in generating access token
First, I have here access code generated <REDACTED> Second trying to execute this curl :
curl https://api.dropbox.com/oauth2/token...
Hi Mostafa Ezzat,
Let's try some authentication process step by step. 🙂 It may succeed.
At the beginning make sure you have your App key and App secret at hand from App Console page. Select desired application there and once got there in and scroll to field "App key" and "App secret" (for the secret "Show" should be used) keep the browser window accessible, so would be able take a look there when needed.
Next, open a new browser window and put into address line following:
https://www.dropbox.com/oauth2/authorize?token_access_type=offline&response_type=code&client_id=<App key>Where "<App key>" is the one from you previous browser window. Next the confirmation you will get a code (alphanumeric sequence). The same could be received automatic when redirect URL is in use (either direct or PKCE code flow), but here we will perform it in such a way for clarity.
Next step will be to "materialize" the received code. In a terminal window execute following curl command:
curl https://api.dropbox.com/oauth2/token -d code=<received code> -d grant_type=authorization_code -u <App key>:<App secret>
Where "<received code>" is the code shown up in the second browser window after confirmation. "<App key>" and "<App secret>" come from the first browser window. As a result you will get in your terminal something like:
{"access_token": "sl.abcdefg123456789AbCdEf-GHijKLmn0U", "token_type": "bearer", "expires_in": 14400, "refresh_token": "oDfT54975DfGh12345KlMnOpQrSt01a", "scope": "account_info.read files.content.read etc.", "uid": "123456789", "account_id": "dbid:ABCDEF5g8HijklMNopQ2Rs5tUV_wxy5z_YO4"}Of course, you will receive different values filling the pattern. Here "sl.abcdefg123456789AbCdEf-GHijKLmn0U" is access token you can use in every regular API call for "14400" second since current moment until expires. "oDfT54975DfGh12345KlMnOpQrSt01a" is your refresh token. The one that will never expire (or till revoke).
When currently received access token expires, you can perform following curl call:
curl https://api.dropbox.com/oauth2/token -d grant_type=refresh_token -d refresh_token=oDfT54975DfGh12345KlMnOpQrSt01a -u <App key>:<App secret>
Where "oDfT54975DfGh12345KlMnOpQrSt01a" is the refresh token "materialized" from code at the beginning. "<App key>" and "<App secret>" come again from the first browser window. As a result you will get in your terminal something like:
{"access_token": "sl.abcdefg123456789AbCdEf-OPqrSTuv1W", "token_type": "bearer", "expires_in": 14400}Again "sl.abcdefg123456789AbCdEf-OPqrSTuv1W" is an access token usable in regular API calls for "14400" seconds (i.e. 4 hours). The last call need to be used every time you need valid access token and the previous one got expired. For the test here you don't have to wait 4 hours. You can call it immediately. 😉 Completes everything successfully?
Every time you do receive access token, it can be use for as many seconds as denoted in "expires_in" field. The access token itself is a ASCII chars sequence and you should be ready to process such a sequence as presented (including different length).
Hope this gives direction and clarifies matter with the step by step processing.
I'm sorry for this but it doesn't work, I also tried with no quotes refresh_token=refresh_token it prints this error
"error_description": "The request parameters do not match any of the supported authorization flows. Please refer to the API documentation for the correct parameters."
curl https://api.dropbox.com/oauth2/token \ -d grant_type=refresh_token \ -d refresh_token='refresh_token' \ -u mykey:mykey
May I ask something if this the return of the refresh token but the access_token is totally different size from the one which genrated by the first curl so is that normal with this access token I'll be able to execute some curl codes? . Thanks in advance
{ "access_token": "sl.abcd1234efg", "expires_in": "13220", "token_type": "bearer", }Hi Mostafa Ezzat,
Let's try some authentication process step by step. 🙂 It may succeed.
At the beginning make sure you have your App key and App secret at hand from App Console page. Select desired application there and once got there in and scroll to field "App key" and "App secret" (for the secret "Show" should be used) keep the browser window accessible, so would be able take a look there when needed.
Next, open a new browser window and put into address line following:
https://www.dropbox.com/oauth2/authorize?token_access_type=offline&response_type=code&client_id=<App key>Where "<App key>" is the one from you previous browser window. Next the confirmation you will get a code (alphanumeric sequence). The same could be received automatic when redirect URL is in use (either direct or PKCE code flow), but here we will perform it in such a way for clarity.
Next step will be to "materialize" the received code. In a terminal window execute following curl command:
curl https://api.dropbox.com/oauth2/token -d code=<received code> -d grant_type=authorization_code -u <App key>:<App secret>
Where "<received code>" is the code shown up in the second browser window after confirmation. "<App key>" and "<App secret>" come from the first browser window. As a result you will get in your terminal something like:
{"access_token": "sl.abcdefg123456789AbCdEf-GHijKLmn0U", "token_type": "bearer", "expires_in": 14400, "refresh_token": "oDfT54975DfGh12345KlMnOpQrSt01a", "scope": "account_info.read files.content.read etc.", "uid": "123456789", "account_id": "dbid:ABCDEF5g8HijklMNopQ2Rs5tUV_wxy5z_YO4"}Of course, you will receive different values filling the pattern. Here "sl.abcdefg123456789AbCdEf-GHijKLmn0U" is access token you can use in every regular API call for "14400" second since current moment until expires. "oDfT54975DfGh12345KlMnOpQrSt01a" is your refresh token. The one that will never expire (or till revoke).
When currently received access token expires, you can perform following curl call:
curl https://api.dropbox.com/oauth2/token -d grant_type=refresh_token -d refresh_token=oDfT54975DfGh12345KlMnOpQrSt01a -u <App key>:<App secret>
Where "oDfT54975DfGh12345KlMnOpQrSt01a" is the refresh token "materialized" from code at the beginning. "<App key>" and "<App secret>" come again from the first browser window. As a result you will get in your terminal something like:
{"access_token": "sl.abcdefg123456789AbCdEf-OPqrSTuv1W", "token_type": "bearer", "expires_in": 14400}Again "sl.abcdefg123456789AbCdEf-OPqrSTuv1W" is an access token usable in regular API calls for "14400" seconds (i.e. 4 hours). The last call need to be used every time you need valid access token and the previous one got expired. For the test here you don't have to wait 4 hours. You can call it immediately. 😉 Completes everything successfully?
Every time you do receive access token, it can be use for as many seconds as denoted in "expires_in" field. The access token itself is a ASCII chars sequence and you should be ready to process such a sequence as presented (including different length).
Hope this gives direction and clarifies matter with the step by step processing.
- Greg-DB
Dropbox Staff
Mostafa Ezzat I see Здравко very helpfully offered a detailed walk-through of this flow. Please let us know if this still isn't working for you.
Thank you. Your answer was very helpful to me. It should be in the guide articles.
Thanks for all it's working
Hi Здравко
It's possible obtain the code in this call :
https://www.dropbox.com/oauth2/authorize?token_access_type=offline&response_type=code&client_id=<App key>permanently? When I send a request, the code is only available for a first time, when I used in a future call, the code is invalid.
Thanks for all
FARO wrote:... When I send a request, the code is only available for a first time, when I used in a future call, the code is invalid.
...
Hi FARO,
🙂How long you expect a code to be used?! 🧐
Let's see. If you forget your credentials to some service and there is a option to receive a recovery code throughout a registered phone number with SMS (for example), how many times you can use received code??? 🤔 Would be reliable and secure if such code can be used for multiple recovering? (such codes are usually relatively short and simple, so easy to use, but to guess too) 😯 That's why such codes are "single shot" (i.e. one time use) and usually for limited time.
The code you are talking about is a member of the same "team" of codes. It's used for one time authorization (together with all other provided information). The refresh token you are receiving on call authenticated successfully with this code can be used multiple times, not the code itself! 😉 Take care! As far as I can guess, according your description, you ignored actual refresh token all the time. Don't ignore it, but keep and use it on followup access token refresh (exactly as mentioned - follow it exactly and don't try to interpret and modify, if your aren't sure what exactly you are doing).
Hope this clarifies matter.
- Greg-DB
FARO Здравко is correct; that code is an "authorization code", which can only be used once each. You should process that and instead store and re-use the "refresh token", which can be used repeatedly. Check out the OAuth Guide and authorization documentation for more information.
I'm getting the following error:
{"error": "invalid_request","error_description": "Bad \"Authorization\" header: 'ascii' codec can't decode byte 0xe2 in position 15: ordinal not in range(128)"}Hi matthewknill,
The message, you posted, is clear enough - your authorization header is malformed. Are you certain your header matches the pattern:
Authorization: Bearer <Your access token here>According to the data in your post, it's not. 🤔 How exactly have you formatted it?
Hope this gives direction.
I've followed process exactly then used the following to get the refresh token:
curl https://api.dropbox.com/oauth2/token \ -d code=<Access Code> \ -d grant_type=authorization_code \ -u <App key>:<App secret>In such a case it sounds like some copy/paste error. Make sure that everything enlabeled like "<something>" is replaced exactly to what the something means! 🤷 Don't put anything more or less there. That's it.
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
