You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
Astrofrans
2 years agoNew member | Level 2
Programatically generate auth token for nodejs server with javascript SDK
Hi! I've tried to read up on the doc/previous threads here, but couldn't quite figure this one out.. So, I'm building a web application in which I want an image gallery served from a specific D...
- 2 years ago
Astrofrans It's certainly possible to do so; you would just authorize the app for your own account only, and re-use the resulting refresh token for your account. The SDK works the same way regardless of how many accounts actually get connected. And while it's not the intended design pattern, as Здравко indicated, the security concerns are allayed when doing this in server-side apps, where you can keep the refresh token/access tokens secret and not exposed to end-users.
Greg-DB
Dropbox Staff
It's not possible to programmatically generate an access token without first using the OAuth app authorization flow, such as just from the app key and secret. The app authorization flow only needs to be done once per account though.
For reference, Dropbox is no longer offering the option for creating new long-lived access tokens. Dropbox is now issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.
Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. You can find more information in the OAuth Guide and authorization documentation. There's a basic outline of processing this flow in this blog post which may serve as a useful example. (The "Generate" button on the app's page on the App Console can only be used to retrieve access tokens, not refresh tokens. You need to use the OAuth app authorization flow to get a refresh token.)
Here's an example of requesting offline access with the official Dropbox JavaScript SDK, which we recommend using. As long as you set the app key (a.k.a. client ID) and refresh token, like shown here in the example the SDK will actually handle refresh process for you automatically. The SDK will automatically catch expired access token errors and call the API to get a new short-lived access token when needed.
Astrofrans
2 years agoNew member | Level 2
Thanks for the reply!
I understand. So, in turn, this means that all users of my app will need to connect their Dropbox accounts to my Dropbox app? Which would also imply, then, that they need to have a Dropbox account as well?
My theory was that I could use my Dropbox and then just proxy frontend requests to it through my backend service, but I take it this is not what the API is intended for?
Best,
- Greg-DB2 years agoDropbox Staff
Correct, the Dropbox API is meant for use by end-users to each connect their own Dropbox accounts. You could technically connect to your own account only for everyone, but it's not recommended.
- Astrofrans2 years agoNew member | Level 2
Thanks again for the reply!
I'll probably mark this as the solution then. No reason to work against the design of the API, I guess.
Technically, though, if I may scope creep just a little bit on my original question. What I'm really trying to achieve here is a feed of images originating shared (though owned by my personal account) Dropbox folder that I can incorporate into a frontend app. Without going in to hairy stuff like scraping, is this something that there is support in any other way?
Best,
- Greg-DB2 years agoDropbox Staff
Astrofrans It's certainly possible to do so; you would just authorize the app for your own account only, and re-use the resulting refresh token for your account. The SDK works the same way regardless of how many accounts actually get connected. And while it's not the intended design pattern, as Здравко indicated, the security concerns are allayed when doing this in server-side apps, where you can keep the refresh token/access tokens secret and not exposed to end-users.
- Здравко2 years agoLegendary | Level 20
Astrofrans wrote:...
My theory was that I could use my Dropbox and then just proxy frontend requests to it through my backend service, but I take it this is not what the API is intended for?
...Dropbox API is used to establish connection in whatever context (either users context or your own only). When you're using Dropbox as server-side service you can safely use your own account only as well as user's accounts. On client side (web browser) it's not advisable single account (i.e. your own or any other) sharing - matter of security. In such cases only user's account should be used.
Greg-DB wrote:... the Dropbox API is meant for use by end-users to each connect their own Dropbox accounts. You could technically connect to your own account only for everyone, but it's not recommended.
Oh... 🤔 Why?! 🧐 Here server side is on focus - nodejs! 🤷
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
5,910 PostsLatest Activity: 3 days agoIf you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!