Make the application for everyone after review?

The key the email is referring to is just your app's existing app key. While in development mode, only up 100 users can link your app to their accounts. Once in production mode, any number of user accounts can be linked to your app. The development/production switch doesn't affect how your app or the app authorization flow works.

It sounds like you just want your app to connect to your own account and only your own account. The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. However, it is technically possible to connect to just one account. The SDKs don't offer explicit support for it and we don't recommend doing so, for various technical and security reasons. (You also don't actually need to be production mode if you only want to use your own account.)

However if you did want to go this route, instead of kicking off the authorization flow, you would manually use an existing access token for your app, instead of kicking off the app authorization flow. (Just be careful not to revoke it, e.g. via https://www.dropbox.com/account/security .)

The application is an application where students will upload their project instead of sending them by email, so I can manage the number of users, groups, duplicate works....
But if I do this, then all students must have an account at dropbox?

If you want the students to only upload to your own account, you can use the API with only your own access token as I described, and they won't need to have their own Dropbox accounts.

Then I will activate this value?
https://www.dropbox.com/s/i9vb28scbh28dg5/Sans%20titre.png?dl=0

Which thing in that screenshot are you referring to?

The first lets you enable/disable the "implicit" a.k.a. "token" OAuth 2 flow for your app.

The second lets you generate an access token for your account to connect to that app. If you do only need to connect to your own account that is an easy way to get an access token.

Can you give me an example, where I only grant users to upload, because finally this is the right solution, by using a full access, the user can even see the folder, which is dangerous!
So, I will go with the token in url way, but can you give me an example with an URL ?

I'm not sure I understand your question. Have you run into a specific issue you can post the details for?

We don't have specific samples for using a single account only, but it doesn't really change how you use the API, so I recommend working through the samples/tutorial for whatever SDK you're using.

Sorry for my questions, but the initial problem is: make users upload to dropbox folder, but are not allowed to see anything inside it?
So, from what I understand, I will make requests as they come from my account using the token I will generate from the console?

Yes, if you want them to upload to only your account, you can use the generated access token for your account. This can only be safely done if this is a web app, where you can protect the access token on the server.

Yes, I use environement variables (hosted at Openshift), so they will not be clear in the code in case someone got the script (python).
And I guess they will not get the HTTP request when the client sends it?