Forum Discussion

New member | Level 2

3 years ago

Get refresh token from access token?

I can get an access token from the website at https://www.dropbox.com/developers/apps/info/****** for my server-based app. Those tokens seem to work for what I need, which is just to retrieve ...

APIs

Greg-DB
3 years ago
It's not possible to get a refresh token from an access token. A refresh token can only be retrieved by authorizing the app via the OAuth app authorization flow. (The "Generate" button on an app's page on the App Console does not offer the ability to get a refresh token; that only returns an access token.) To get a refresh token for a user account, an app should implement the OAuth app authorization flow, and request "offline" access. You can also find more information in the authorization documentation.

The /oauth2/token call you shared is failing because the "code" parameter there expects an "authorization code", not an access token.

If this is just for your own account though, you can process this manually without implementing the OAuth app authorization flow in your app's code/UI.

For instance, you could:

1. Make your OAuth app authorization URL like this: (plug in your app key in place of "APPKEYHERE").

https://www.dropbox.com/oauth2/authorize?client_id=APPKEYHERE&response_type=code&token_access_type=offline

2. Browse to that page in your browser while signed in to your account and click "Allow" to authorize it.

3. Copy the resulting authorization code.

4. Exchange the authorization code for an access token and refresh token like this, e.g., using curl on the command line: (plug in the authorization code from step 3 in place of "AUTHORIZATIONCODEHERE", the app key in place of "APPKEYHERE", and the app secret in place of "APPSECRETHERE").

curl https://api.dropbox.com/oauth2/token \ -d code=AUTHORIZATIONCODEHERE \ -d grant_type=authorization_code \ -u APPKEYHERE:APPSECRETHERE

The response will contain a short-lived access token and refresh token that you can then use as needed.

5. Store the returned refresh token. (It can be repeatedly re-used and doesn't expire by itself, though it can be revoked on demand.)

6. Use the returned short-lived access token to make API calls until it expires. For example, here's how a call to get the connected user information would look like: (plug in the access token from step 4 in place of "ACCESSTOKENHERE")

curl -X POST https://api.dropboxapi.com/2/users/get_current_account \ --header "Authorization: Bearer ACCESSTOKENHERE"

7. Retrieve a new short-lived access token whenever needed like this, e.g., using curl on the command line: (plug in the refresh token from step 5 in place of "REFRESHTOKENHERE", the app key in place of "APPKEYHERE", and the app secret in place of "APPSECRETHERE")

curl https://api.dropbox.com/oauth2/token \ -d refresh_token=REFRESHTOKENHERE \ -d grant_type=refresh_token \ -d client_id=APPKEYHERE \ -d client_secret=APPSECRETHERE

8. Use the returned short-lived access token to make API calls until it expires. For example, here's how a call to get the connected user information would look like: (plug in the new access token from step 7 in place of "ACCESSTOKENHERE")

curl -X POST https://api.dropboxapi.com/2/users/get_current_account \ --header "Authorization: Bearer ACCESSTOKENHERE"

Repeat steps 7 and 8 programmatically as needed.

Hope this helps!

Greg-DB

Dropbox Staff

It's not possible to get a refresh token from an access token. A refresh token can only be retrieved by authorizing the app via the OAuth app authorization flow. (The "Generate" button on an app's page on the App Console does not offer the ability to get a refresh token; that only returns an access token.) To get a refresh token for a user account, an app should implement the OAuth app authorization flow, and request "offline" access. You can also find more information in the authorization documentation.

The /oauth2/token call you shared is failing because the "code" parameter there expects an "authorization code", not an access token.

If this is just for your own account though, you can process this manually without implementing the OAuth app authorization flow in your app's code/UI.

For instance, you could:

1. Make your OAuth app authorization URL like this: (plug in your app key in place of "APPKEYHERE").

https://www.dropbox.com/oauth2/authorize?client_id=APPKEYHERE&response_type=code&token_access_type=offline

2. Browse to that page in your browser while signed in to your account and click "Allow" to authorize it.

3. Copy the resulting authorization code.

4. Exchange the authorization code for an access token and refresh token like this, e.g., using curl on the command line: (plug in the authorization code from step 3 in place of "AUTHORIZATIONCODEHERE", the app key in place of "APPKEYHERE", and the app secret in place of "APPSECRETHERE").

curl https://api.dropbox.com/oauth2/token \
    -d code=AUTHORIZATIONCODEHERE \
    -d grant_type=authorization_code \
    -u APPKEYHERE:APPSECRETHERE

The response will contain a short-lived access token and refresh token that you can then use as needed.

5. Store the returned refresh token. (It can be repeatedly re-used and doesn't expire by itself, though it can be revoked on demand.)

6. Use the returned short-lived access token to make API calls until it expires. For example, here's how a call to get the connected user information would look like: (plug in the access token from step 4 in place of "ACCESSTOKENHERE")

curl -X POST https://api.dropboxapi.com/2/users/get_current_account \
    --header "Authorization: Bearer ACCESSTOKENHERE"

7. Retrieve a new short-lived access token whenever needed like this, e.g., using curl on the command line: (plug in the refresh token from step 5 in place of "REFRESHTOKENHERE", the app key in place of "APPKEYHERE", and the app secret in place of "APPSECRETHERE")

curl https://api.dropbox.com/oauth2/token \
   -d refresh_token=REFRESHTOKENHERE \
   -d grant_type=refresh_token \
   -d client_id=APPKEYHERE \
   -d client_secret=APPSECRETHERE

8. Use the returned short-lived access token to make API calls until it expires. For example, here's how a call to get the connected user information would look like: (plug in the new access token from step 7 in place of "ACCESSTOKENHERE")

curl -X POST https://api.dropboxapi.com/2/users/get_current_account \
    --header "Authorization: Bearer ACCESSTOKENHERE"

Repeat steps 7 and 8 programmatically as needed.

Hope this helps!

cwearring

New member | Level 2

2 years ago

Really great - solved my problem immediately - thanks for sharing!

About Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

5,875 PostsLatest Activity: 2 years ago

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!

Forum Discussion

Get refresh token from access token?

About Dropbox API Support & Feedback

Related Content

Refresh Token Url

Invalid_Grant whlie generating Access Token using saved Refresh token in Dropbox Sign .NET SDK

refresh token is malformed

API access token expired

Dropbox OAuth2 Endpoint not giving refresh Token

Recent Discussions

How to add the entire team to team folder by api

API Upload .HEIC and convert to JPG

Invalid Folder Name with Team API

Zapier - 409 error path/not found

How to create a team folder and share with everyone of the team members using Dropbox API?