Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
I generated an access token while creating my project on dropbox app console, and used that token to let my user's to fetch data from my drobox using my android app, everything worked fine for months but today i was getting an exception that my access token is not valid, then i generated a new access token from app console and it again started working, now that my token is changed and is affecting my users as they have the old one.. i want to know what has happened and how my token becomes invalid, is the token got changed or what.. i have over 5k installs on google play and now my all users are affecting
By default, Dropbox API access tokens for your app(s) don't expire by themselves, but there a number of different ways that a Dropbox API access token can become invalid:
Also, I should note that the Dropbox API was designed with the intention that each end-user would link their own Dropbox account, in order to interact with their own files, in which case they would only have access to their own access token(s).
It is technically possible to connect to just one account, by always using a specific access token, for all end-users of your app, and it sounds like that's what you're doing in this case. Please be aware that we don't recommend doing so, for various technical and security reasons. This is especially true for client-side apps, such as Android apps, as they can't keep the access token a secret from the end-users.
No, your app being in development mode would not affect access token validity. The development mode only limits how many different Dropbox accounts can be connected to your app. Since you are only connecting your app to your one account, that isn't relevant.
It sounds like you're referring to using the OAuth app authorization flow. That's the process you would implement in your app for the normal case where you have each end-user connect their own Dropbox account to receive their own access token. You can find more information in the OAuth Guide and authorization documentation (as well as the documentation for the SDK/library you're using, if any).
In your case, since you're using the non-recommended method of hard-coding your own access token in the app you distribute to users, you don't need to use the OAuth app authorization flow at all.
For reference, the access token you get for your own account by using the "Generate" button on your app's page on the App Console is functionally the same as an access token you would retrieve for your account via the OAuth app authorization flow.
No, there's nothing in this code that would invalidate the access token.
Please refer to my earlier comment for a list of things that can disable an access token.
While you yourself may not have revoked the token, it's possible someone who downloaded your app did. Since you embedded your access token in the app, someone could extract it from the app and then use /2/auth/token/revoke (or any other API endpoint) themselves. This is one of the reasons we don't recommend distributing your own access token like this.
Hi there!
If you need more help you can view your support options (expected response time for a ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!