Dropbox Access Token Validity

saxsax · ‎09-26-2018

i created an app using dropbox access token for my wordpress website but when i right click on the website page I can see the access token.

If someone has access to this access token, will they be able to access my dropbox and its files ?

Greg-DB · ‎09-27-2018

Yes, an access token enables access to an account via the Dropbox API to the extent allowed by the app's permission. For this reason, you should never share or expose an access token for your own account to others users. Users should only ever have access to their own access token(s).

Given that your access token has been published, I recommend revoking it.

For the functionality you're looking for, you can instead have the users upload to your own server first, and then upload to Dropbox from your server. That way, the access token only needs to exist on your server, not exposed to the end-users.

Alternatively, you could use /2/files/get_temporary_upload_link (again from your server) to pass down a temporary upload link on the page so the file can be uploaded directly from the browser without exposing the access token client-side. (Note that this endpoint is still in preview though.)

saxsax · ‎09-27-2018

Thanks... if I delete the app, will that revoke the access token as well ?

I have deleted the app from my acccount

Greg-DB · ‎09-27-2018

Yes, deleting the app will also prevent the access token from working.

Dropbox Access Token Validity

Dropbox Access Token Validity

Top contributors to this post