I generated an access token while creating my project on dropbox app console, and used that token to let my user's to fetch data from my drobox using my android app, everything worked fine for months but today i was getting an exception that my access token is not valid, then i generated a new access token from app console and it again started working, now that my token is changed and is affecting my users as they have the old one.. i want to know what has happened and how my token becomes invalid, is the token got changed or what.. i have over 5k installs on google play and now my all users are affecting

It sounds like you're referring to using the OAuth app authorization flow. That's the process you would implement in your app for the normal case where you have each end-user connect their own Dropbox account to receive their own access token. You can find more information in the OAuth Guide and authorization documentation (as well as the documentation for the SDK/library you're using, if any). In your case, since you're using the non-recommended method of hard-coding your own access token in the app you distribute to users, you don't need to use the OAuth app authorization flow at all. For reference, the access token you get for your own account by using the "Generate" button on your app's page on the App Console is functionally the same as an access token you would retrieve for your account via the OAuth app authorization flow.

While you yourself may not have revoked the token, it's possible someone who downloaded your app did. Since you embedded your access token in the app, someone could extract it from the app and then use /2/auth/token/revoke (or any other API endpoint) themselves. This is one of the reasons we don't recommend distributing your own access token like this.

By default, Dropbox API access tokens for your app(s) don't expire by themselves, but there a number of different ways that a Dropbox API access token can become invalid: the user can revoke all access tokens for an app by unlinking it on the connected apps page any client with the access token can revoke the access token by calling /2/auth/token/revoke if the app uses the "app folder" permission, the token can be disabled by the user deleting the app folder itself in the Dropbox account, either via the Dropbox website or any client the app can be disabled the account that owns the app can be disabled the connected account can be disabled Also, I should note that the Dropbox API was designed with the intention that each end-user would link their own Dropbox account, in order to interact with their own files, in which case they would only have access to their own access token(s). It is technically possible to connect to just one account, by always using a specific access token, for all end-users of your app, and it sounds like that's what you're doing in this case. Please be aware that we don't recommend doing so, for various technical and security reasons. This is especially true for client-side apps, such as Android apps, as they can't keep the access token a secret from the end-users.

Aslo note down that my app console is still in development mode and my app is published on playstore,i have hard coded the access token in my android app so the users can able to fetch data from my dropbox withouth any aunthentication, is that may be the reason that my access token gets invalid because my app console is still in development mode?

No, your app being in development mode would not affect access token validity. The development mode only limits how many different Dropbox accounts can be connected to your app. Since you are only connecting your app to your one account, that isn't relevant.

Invalid access token | The Dropbox Community

14 Replies

Replies have been turned off for this discussion

Greg-DB
Dropbox Community Moderator
7 years ago
By default, Dropbox API access tokens for your app(s) don't expire by themselves, but there a number of different ways that a Dropbox API access token can become invalid:

the user can revoke all access tokens for an app by unlinking it on the connected apps page

any client with the access token can revoke the access token by calling /2/auth/token/revoke

if the app uses the "app folder" permission, the token can be disabled by the user deleting the app folder itself in the Dropbox account, either via the Dropbox website or any client

the app can be disabled

the account that owns the app can be disabled

the connected account can be disabled

Also, I should note that the Dropbox API was designed with the intention that each end-user would link their own Dropbox account, in order to interact with their own files, in which case they would only have access to their own access token(s).

It is technically possible to connect to just one account, by always using a specific access token, for all end-users of your app, and it sounds like that's what you're doing in this case. Please be aware that we don't recommend doing so, for various technical and security reasons. This is especially true for client-side apps, such as Android apps, as they can't keep the access token a secret from the end-users.
Muneebzzzz
Explorer | Level 4
7 years ago
Aslo note down that my app console is still in development mode and my app is published on playstore,i have hard coded the access token in my android app so the users can able to fetch data from my dropbox withouth any aunthentication, is that may be the reason that my access token gets invalid because my app console is still in development mode?
Greg-DB
Dropbox Community Moderator
7 years ago
No, your app being in development mode would not affect access token validity. The development mode only limits how many different Dropbox accounts can be connected to your app. Since you are only connecting your app to your one account, that isn't relevant.
Muneebzzzz
Explorer | Level 4
7 years ago
I got the information while generating the access token that i should use standard auth process to generate access tokens for my users. What does that mean then
Greg-DB
Dropbox Community Moderator
7 years ago
It sounds like you're referring to using the OAuth app authorization flow. That's the process you would implement in your app for the normal case where you have each end-user connect their own Dropbox account to receive their own access token. You can find more information in the OAuth Guide and authorization documentation (as well as the documentation for the SDK/library you're using, if any).

In your case, since you're using the non-recommended method of hard-coding your own access token in the app you distribute to users, you don't need to use the OAuth app authorization flow at all.

For reference, the access token you get for your own account by using the "Generate" button on your app's page on the App Console is functionally the same as an access token you would retrieve for your account via the OAuth app authorization flow.
Muneebzzzz
Explorer | Level 4
7 years ago
This is sample code which iam using to make my user a client through access token.. am i making some mistake which can cause to my access token invalid?

public class Main { private static final String ACCESS_TOKEN = "<ACCESS TOKEN>"; public static void main(String args[]) throws DbxException { // Create Dropbox client DbxRequestConfig config = DbxRequestConfig.newBuilder("dropbox/java-tutorial").build(); DbxClientV2 client = new DbxClientV2(config, ACCESS_TOKEN); }

FullAccount account = client.users().getCurrentAccount();

ListFolderResult result = client.files().listFolder(""); while (true) { for (Metadata metadata : result.getEntries()) { System.out.println(metadata.getPathLower()); } if (!result.getHasMore()) { break; } result = client.files().listFolderContinue(result.getCursor()); }
Greg-DB
Dropbox Community Moderator
7 years ago
No, there's nothing in this code that would invalidate the access token.

Please refer to my earlier comment for a list of things that can disable an access token.
Muneebzzzz
Explorer | Level 4
7 years ago
I have read them all and i didnot use any code which could lead my user to invalidate access token, my app was working fine for 10 months without any trouble but this month i have got two times invalid token exceptions and i do not know what could cause it, i have to update my app with new token each time
Greg-DB
Dropbox Community Moderator
7 years ago
While you yourself may not have revoked the token, it's possible someone who downloaded your app did. Since you embedded your access token in the app, someone could extract it from the app and then use /2/auth/token/revoke (or any other API endpoint) themselves. This is one of the reasons we don't recommend distributing your own access token like this.
Muneebzzzz
Explorer | Level 4
7 years ago
Yes you are right Greg, i have to secure my token.. one last question that iam not using app secret code in my app, is that code use for the auth process? And thanks for the quick response

Forum Discussion

Invalid access token

14 Replies

About Dropbox API Support & Feedback

Related Content

Invalid access token

Refresh token generates an invalid access token?

Invalid access token - across multiple Dropbox Team Spaces

Get refresh token from access token?

Permananet Access Token

Recent Discussions

Shared Link - Download in .NET

Dropbox API server root certificate changes for .Net

GetCurrentAccountAsync API Failing for some Team Members while using Impersonation

Find DBID on Local PC

How to replace a non-existent permanent token? Any auto-refresh alternative for automation?