Application token key

guymayor · ‎01-29-2020

Is it possible to get a token key only with APP_KEY and APP_SECRET without redirect_uri the authorizing URL that needes the user to open the URL in a new tab and copy-paste the code?

If not, can I assume that this code will never be expired?

Greg-DB · ‎01-29-2020

@guymayor Здравко is correct; the Dropbox API doesn't offer a way to upload files based only on the app key and secret. The app key and secret only identify the app itself. Making changes to an account, such as uploading files, requires authorization to access that account.

The Dropbox API doesn't offer any sort of "app account" or "app storage" where you can upload files outside of any specific user account, but I'll pass this along as a feature request. I can't promise if or when that might be implemented though.

To get an access token for a specific user account for the Dropbox API you need to send the user through the OAuth app authorization flow.

Likewise, to get an access token for an entire Dropbox Business team for the Dropbox Business API you need to send a team admin through the OAuth app authorization flow. If the Dropbox Business API app is registered for the "team member file access" permission, you can then use the resulting access token to access any member's account via the "member file access" feature documented here. The individual member doesn't need to additionally authorize the app, as it's been authorized for the entire team by a team admin.

Finally, an actual Dropbox API access token does not expire by itself, but it can be revoked by the user or app at any time. Also, note that "access tokens" are not the same as "authorization codes". Authorization codes are short-lived, single-use codes that can be exchanged for an access token.

View solution in original post

Здравко · ‎01-29-2020

@guymayor wrote:
Is it possible to get a token key only with APP_KEY and APP_SECRET without redirect_uri the authorizing URL that needes the user to open the URL in a new tab and copy-paste the code?
...

Hi @guymayor,

APP_KEY and APP_SECRET represent the application identity, not to the user one! What kind of data, your application will get access to, if not directed to particular user?! That's what token key is for - linking your application instance to particular user profile/account. Of course, user should agree.

@guymayor wrote:
...
If not, can I assume that this code will never be expired?

If not deactivated in some way (either Dropbox, you or the user) - Yes. Otherwise - no.

Hope this helps.

guymayor · ‎01-29-2020

Hi @guymayor,
APP_KEY and APP_SECRET represent the application identity, not to the user one! What kind of data, your application will get access to, if not directed to particular user?! That's what token key is for - linking your application instance to particular user profile/account. Of course, user should agree.

Hey @Здравко Thanks for your answer,

This is a dropbox for business application so I want the application to perform actions with admin permissions. do I have to link the application to a specific user?

I even want to see only the team_folders and not the personal ones if it's possible

Здравко · ‎01-29-2020

As mentioned in API documentation:

For endpoints that accept performing actions on behalf of a team administrator using the Dropbox-API-Select-Admin header, files may be referenced using a namespace-relative path (e.g. "ns:123456/cupcake.png"). In this case, the namespace ID, "123456", would be the shared_folder_id or team_folder_id of the shared folder or the team folder containing the file or folder, and the path, "/cupcake.png", would be the logical path to the content relative to its shared folder or team folder container.

For more information take a look on Dropbox Business API documentation.

guymayor · ‎01-29-2020

Yes, I saw this on the API, the question is if the admin id that is set in Dropbox-API-Select-Admin header must be linked to the token key?

Здравко · ‎01-29-2020

I'm not sure what you really ask. Dropbox authorization is based on token keys, so such key is something mandatory.

guymayor · ‎01-29-2020

I'll rephrase the question,

Is it possible to use API methods that support Dropbox-API-Select-Admin header as authentication like files-upload with a token key that being generated only by app_ket and app_secert (without user approval)

Здравко · ‎01-29-2020

Read more carefully files-upload info, you have referred above. Is there any info about using this API point without token (what info will be accessed in such case)?! Read again, more carefully, my first post in this thread.

guymayor · ‎01-29-2020

I'm not sying access without a token, I just want to get a token without a user approval

guymayor · ‎01-29-2020

I'm not sying access without a token, I just want to get a token without a user approval

Application token key

Application token key

Top contributors to this post