Issue in generating access token

Mostafa Ezzat I see Здравко very helpfully offered a detailed walk-through of this flow. Please let us know if this still isn't working for you.

Thanks for all it's working

Hi Здравко

It's possible obtain the code in this call :

https://www.dropbox.com/oauth2/authorize?token_access_type=offline&response_type=code&client_id=<App key>

permanently? When I send a request, the code is only available for a first time, when I used in a future call, the code is invalid.

Thanks for all

---

FARO wrote:

... When I send a request, the code is only available for a first time, when I used in a future call, the code is invalid.

...

---

Hi FARO,

🙂How long you expect a code to be used?! 🧐

Let's see. If you forget your credentials to some service and there is a option to receive a recovery code throughout a registered phone number with SMS (for example), how many times you can use received code??? 🤔 Would be reliable and secure if such code can be used for multiple recovering? (such codes are usually relatively short and simple, so easy to use, but to guess too) 😯 That's why such codes are "single shot" (i.e. one time use) and usually for limited time.

The code you are talking about is a member of the same "team" of codes. It's used for one time authorization (together with all other provided information). The refresh token you are receiving on call authenticated successfully with this code can be used multiple times, not the code itself! 😉 Take care! As far as I can guess, according your description, you ignored actual refresh token all the time. Don't ignore it, but keep and use it on followup access token refresh (exactly as mentioned - follow it exactly and don't try to interpret and modify, if your aren't sure what exactly you are doing).

Hope this clarifies matter.

FARO Здравко is correct; that code is an "authorization code", which can only be used once each. You should process that and instead store and re-use the "refresh token", which can be used repeatedly. Check out the OAuth Guide and authorization documentation for more information.

I'm  getting the following error:

Hi matthewknill,

The message, you posted, is clear enough - your authorization header is malformed. Are you certain your header matches the pattern:

Authorization: Bearer <Your access token here>

According to the data in your post, it's not. 🤔 How exactly have you formatted it?

Hope this gives direction.

I've followed process exactly then used the following to get the refresh token:

curl https://api.dropbox.com/oauth2/token \
-d code=<Access Code> \
-d grant_type=authorization_code \
-u <App key>:<App secret>

In such a case it sounds like some copy/paste error. Make sure that everything enlabeled like "<something>" is replaced exactly to what the something means! 🤷 Don't put anything more or less there. That's it.

Hmm, I thought I did copy it accurately but maybe not, I did it again and it seemed to work.

Thanks and sorry for the hassle...

I was able to get my access code generated.

Then i open terminal as admin - and do the curl command replacing the app key and app secrete and inserting the access code.

Red XXXXX below are my account codes but replaced with xxxxx's

However I get a red error in Terminal. it says

Invoke-WebRequest : Parameter cannot be processed because the parameter name 'u' is ambiguous. Possible matches include: -UseBasicParsing -Uri -UseDefaultCredentials -UserAgent.
At line:1 char:128
+ ... xxxxxxxxxxxxxxxxxxxx -d grant_type=authorization_code -u xxxxxxx ...
+ ~~
+ CategoryInfo : InvalidArgument: (:) [Invoke-WebRequest], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameter,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

:EDIT:I googled and found article to do the following command inside Terminal to fix this issue. - That seemed to work so I'll paste it here for anyone else who runs into this issue on Windows 11.
Remove-item alias:curl

Now I'm stuck at the message
"Enter host password for user 'xxxxxxxxxxxxxxxxxxxxxxxxx':

I've Typed password - I've copy pasted but the error I keep getting is

{"error": "invalid_client: Invalid client_id or client_secret"}

I know my app key and app secret is correct. And the host password I assume is my dropbox password to get into my account.

any thoughts on this?

Kloss The original "-u" option shown earlier in this thread is an option for curl for specifying the Basic credentials (which in this case should be the app key and secret). It looks like in your environment it was getting sent to Invoke-WebRequest, where "-u" is ambiguous. I'm glad to hear you already sorted that out.

For this /oauth2/token call, you would specify the app key and secret, but not your account password. The "-u" option is a way to specify the app key and secret, in place of what would be the username and password in other contexts. So, to specify the app key and secret, you could use it like "-u <appkey>:<appsecret>", where <appkey> is your app key, and <appsecret> is your app secret; do not enter your account password.

---

Kloss wrote:

...
I know my app key and app secret is correct. And the host password I assume is my dropbox password to get into my account.
...

---

Kloss, your account id (email) or password have nothing to do here! The only thing you need to authenticate is your application, nothing more. Check your shell syntax (might be some typing error, for instance). You account identification has already been performed in your browser. 😉

Good luck.

Thank you. Your answer was very helpful to me. It should be in the guide articles.

Hi Здравко

I have followed your (very generous) steps.  Every works fine... I get back the JSON I am expecting as per your post. ie I get the access token, a refresh token and bunch of other data.  However when I use the 'sl...' access token just generated to upload a file, I get the following error:

{"error_summary": "expired_access_token/...", "error": {".tag": "expired_access_token"}}

I have tried the flow you recommend several times to ensure I have all inputs correct, and get the same error.

Then I tried generating an access token directly from the app console for the app.  This returned the same error.

Any thoughts on where I should focus?

tx

c

calexmac An 'expired_access_token' error indicates that the particular short-lived access token you used has expired, so you'd need to get a new one to continue making API calls. If you have a refresh token, you can do so by calling /oauth2/token with grant_type=refresh_token. Please refer to the messages at the beginning of this thread for more information.

Does this method still work until now?

Yes The Kingdom, it does. It has never stopped. 😉 Do you have any issue? 🧐

Nice New Year holiday for everybody!

Hm.. 🤔 To be honest, I'm not sure what you ask me for. API/SDKs are software tools directed for usage in software project (or even simple client script). This is valid for any kind of such tools (no limit to Dropbox API/SDK). In the same context you need some basic coding skills, at least! My example here shows how authentication can work in a very basic and simplistic way. It's not the only way. The same way can be used for some prebuild third party software, but better ask the software provider how exactly, if you don'f feel yourself confident enough.

Hope this gives direction.