You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
ZeeshanFayyaz_1
7 years agoHelpful | Level 6
Mobile Application(IOS and Android)
Hi there, currently i am working on mobile application for an organization whose requirement are as follow 1. All employees have installed company app on their smart phone i-e android and ios. With...
- 7 years ago
The issue is that client-side applications can't keep secrets, meaning that any access token stored in a distributed app, or even just sent to the app at any time, could be extracted. That means that a malicious user could get the access token, and use it to access the Dropbox API directly, bypassing any access controls your app attempted to enforce. (E.g., they could download files.)
However, if you have your own server and are willing to use that as an intermediary, you do have more options. You could have the app call to your server, and have your server call the Dropbox API. That way, you can protect your access token on the server.
In that case, you can either:
a) have the mobile apps upload to your server, and then have the server upload to Dropbox (e.g., to /2/files/upload).
b) have the mobile apps call your server, have the server call /2/files/get_temporary_upload_link, and return the resulting upload link to the app. The app could then upload directly to Dropbox using the link. (Note that /2/files/get_temporary_upload_link is still in preview though.)
- 7 years ago
Thanks for your time, Actually i was busy these days that why i am writing late to you. I have noticed the main point here, i have found your answer very helpful i will discuss these points with the organization i am working and get back to you, for now i am marking your answer as "Best Answer". Once again Thanks for your time
ZeeshanFayyaz_1
Helpful | Level 6
Thanks for your support, I have read the stuff that you shared. but as i understand here is that it allows me to upload files only to users account, but i didn't need that
My requirement is as follow
let me alaborate it with a example, Suppose there is company named ABC, and the company have 20 employee working. Company ABC has a dropbox account(preferable paid) and what company needs is that all of the employees have company app(i-e android and ios) on their smart Devices.
App Functionality:
Allow its user to upload files to company dropbox account that's all.
Now according to endpoints they need a "Access Token" to upload files. How to get that as i understand it is token generated when user sign in the app or there is a way that i save company credentials in the app permanently and get access token by calling any endpoints which returns me accessToken for that account
Greg-DB
7 years agoDropbox Staff
I see, thanks for clarifying.
The API was designed with the intention that each user would link their own Dropbox account though, in order to interact with their own files. It is technically possible to connect to just one account like you describe, but we don't recommend doing so, for various technical and security reasons, especially in client-side apps like on iOS or Android.
Doing so would involve embedding an access token for the desired account in the app itself. A malicious user could then extract that access token from the app though.
- ZeeshanFayyaz_17 years agoHelpful | Level 6
what if i call my custom api for access token then use that token for to upload files
Another point here is "We are only providing to upload files functionality not to fetch it again"- Greg-DB7 years agoDropbox Staff
The issue is that client-side applications can't keep secrets, meaning that any access token stored in a distributed app, or even just sent to the app at any time, could be extracted. That means that a malicious user could get the access token, and use it to access the Dropbox API directly, bypassing any access controls your app attempted to enforce. (E.g., they could download files.)
However, if you have your own server and are willing to use that as an intermediary, you do have more options. You could have the app call to your server, and have your server call the Dropbox API. That way, you can protect your access token on the server.
In that case, you can either:
a) have the mobile apps upload to your server, and then have the server upload to Dropbox (e.g., to /2/files/upload).
b) have the mobile apps call your server, have the server call /2/files/get_temporary_upload_link, and return the resulting upload link to the app. The app could then upload directly to Dropbox using the link. (Note that /2/files/get_temporary_upload_link is still in preview though.)
- ZeeshanFayyaz_17 years agoHelpful | Level 6
Thanks for your time, Actually i was busy these days that why i am writing late to you. I have noticed the main point here, i have found your answer very helpful i will discuss these points with the organization i am working and get back to you, for now i am marking your answer as "Best Answer". Once again Thanks for your time
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
5,915 PostsLatest Activity: 20 hours agoIf you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!