You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
MN86
3 years agoNew member | Level 2
Obtaining short lived API Access tokens
Hello, I'm struggling with the process of obtaining/refreshing short lived tokens. I have a remote camera that will occasionally upload a picture using HTTP over the cellular network. The API works b...
- 3 years ago
For context, Dropbox is in the process of switching to only issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.
Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. (Refresh tokens don't expire, but can be revoked on demand.) You can find more information in the OAuth Guide and authorization documentation.To clarify what you have so far though, the code returned from /oauth2/authorize when using 'response_type=code' like this is an "authorization code", which is different than an "access token" or "refresh token". Authorization codes are temporary, single-use codes that the app should use once to retrieve the authorization result (which would be an access token and optionally a refresh token).
And yes, using a redirect URI is optional with this 'response_type=code' flow. When the redirect URI is omitted, the authorization code is just presented on the Dropbox web page so it can be copied/pasted back into the app manually.
So, to summarize, the flow would look like this:
- the app builds the /oauth2/authorize URL ("Example: Auth URL for code flow with offline token access type")
- the user visits the /oauth2/authorize URL in their browser and authorizes the app
- the user copies the authorization code back into the app
- the app sends the authorization code to /oauth2/token and receives back a short-lived access token and refresh token ("Example: access token request in code flow")
- the app makes calls using the short-lived access token until it expires
- the app sends the refresh token to /oauth2/token and receives back another short-lived access token, whenever and as many times as necessary in the future ("Example: refresh token request")
Greg-DB
Dropbox Staff
For context, Dropbox is in the process of switching to only issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.
Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. (Refresh tokens don't expire, but can be revoked on demand.) You can find more information in the OAuth Guide and authorization documentation.
To clarify what you have so far though, the code returned from /oauth2/authorize when using 'response_type=code' like this is an "authorization code", which is different than an "access token" or "refresh token". Authorization codes are temporary, single-use codes that the app should use once to retrieve the authorization result (which would be an access token and optionally a refresh token).
And yes, using a redirect URI is optional with this 'response_type=code' flow. When the redirect URI is omitted, the authorization code is just presented on the Dropbox web page so it can be copied/pasted back into the app manually.
So, to summarize, the flow would look like this:
- the app builds the /oauth2/authorize URL ("Example: Auth URL for code flow with offline token access type")
- the user visits the /oauth2/authorize URL in their browser and authorizes the app
- the user copies the authorization code back into the app
- the app sends the authorization code to /oauth2/token and receives back a short-lived access token and refresh token ("Example: access token request in code flow")
- the app makes calls using the short-lived access token until it expires
- the app sends the refresh token to /oauth2/token and receives back another short-lived access token, whenever and as many times as necessary in the future ("Example: refresh token request")
MN86
3 years agoNew member | Level 2
Thanks for the quick answer! The flow is a lot clearer to me now. Is it possible to change the "oauth2/authorize_submit" page to refer to the code it returns as an Authorization code instead of an Access code? It is a small thing but I'm probably not the only one wondering where an "Access code" should be used and where/how I could obtain an "Authorization code".
- Greg-DB3 years agoDropbox Staff
Thanks for the note! I'll ask the team to fix up that text.
About Discuss Dropbox Developer & API
Make connections with other developers
795 PostsLatest Activity: 4 hours agoIf you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!