You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
Dropbox sign refresh token getting expire after 1 hour
Hello,
I have successfully implemented the authentication flow for the Dropbox Sign API and obtained the initial access token and refresh token. However, I noticed that the refresh token expires after only 1 hour, which requires frequent reauthorization and disrupts the seamless user experience. I expected the refresh token to have a longer validity period for smoother token management.
authUrl='https://app.hellosign.com/oauth/authorize?response_type=code&client_id=12345678&redirect_uri=redirect-url&token_access_type=offline&state=121324234'
----------------------------------------------------------------
// code exchange req
curl --location 'https://app.hellosign.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data '{
"code": "code",
"grant_type": "authorization_code",
"redirect_uri": "redirect_uri",
"client_id": "client_id",
"client_secret": "client_secret"
}'
Upon making a request for refresh token I am getting the below error
req schema:-
curl --location 'https://app.hellosign.com/oauth/token?=null' \
--header 'Content-Type: application/json' \
--data '{
"grant_type": "refresh_token",
"refresh_token": "refresh_token"
}'
______________________________________________________________________________
response:-
{
"error": "invalid_grant",
"error_description": "Invalid grant data (refresh token)"
}
Thank you in advance for your support and contributions.
- DB-Des
Dropbox Engineer
For security reasons, the access tokens have a short TTL, not refresh tokens.
Feel free to reference Dropbox Sign's API OAuth Walkthrough for details on how to obtain another access token.
Thanks for the quick reply, I understand that access tokens have a short lifespan and refresh tokens have a large lifespan but in my case, both tokens seem to work fine for 1 hour. If I try to refresh the access token after 1 hour I am simply getting the error that I have mentioned above in the conversation.
- DB-Des
Did you get a chance to read over the documentation for Dropbox Sign's OAuth workflow?
Only reason I'm asking is because the samples you provided include endpoints not related to Dropbox Sign API, with parameters that seem to be for Dropbox API's OAuth workflow and not Dropbox Sign's.
For example, your authUrl :
authUrl='https://app.hellosign.com/oauth/authorize?response_type=code&client_id=12345678&redirect_uri=redirect-url&token_access_type=offline&state=121324234'is using endpoint /oauth/authorize which is not an endpoint for Dropbox Sign API. Also, the query parameters are not relevant to Dropbox Sign — except for client_id and state.
Additionally, the body you are sending on your request:
--data '{ "code": "code", "grant_type": "authorization_code", "redirect_uri": "redirect_uri", "client_id": "client_id", "client_secret": "client_secret" }'is missing the state parameter. Also redirect_uri is not relevant to Dropbox Sign.
I would recommend attempting the following cURL command to generate an access token:
curl -X POST 'https://app.hellosign.com/oauth/token' \ -u 'YOUR_API_KEY:' \ -F 'client_id=YOUR_CLIENT_ID' \ -F 'state=state' \ -F 'code=code' \ -F 'grant_type=authorization_code' \ -F 'client_secret=client_secret'And the following to generate a new access token, when needed:
curl -X POST 'https://app.hellosign.com/oauth/token?refresh' \ -u 'YOUR_API_KEY:' \ -F 'grant_type=refresh_token' \ -F 'refresh_token=refresh_token'If you are still receiving errors from Sign's API OAuth endpoints. Go ahead and contact our support team, from the email you are using to test Dropbox Sign's API, so they can further troubleshoot.
