You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
gagsbh
4 years agoHelpful | Level 5
New Dropbox API Updates
Hello Greg-DB
I received an email from Dropbox - Action Required: Important Dropbox API Updates.
I have an existing Dropbox app that uses old way of scopes/permissions and long-lived access tokens.
What changes do I need to do on the following 2 Dropbox API updates ?
------------------------------------------------------------------------------------------------------------------------------
1. As a reminder, on September 30th, 2021, the Dropbox OAuth flow will no longer return new long-lived access tokens.
It will instead return short-lived access tokens, and optionally return refresh tokens. Existing tokens are not impacted.
Apps that require background access will need to update their code to use refresh tokens, which is made easier by using our updated SDKs.
All other apps should ensure that users are directed to re-authorize upon token expiration.
---------
Qs 1A) I have an existing app that stores long-lived access token in the database by asking users to do one-time authroization.
Do I need to migrate these customers to short-lived access tokens or will the old long-lived access tokens work ?
Qs 1B) For new customers, what design changes are required to be done by me ?
Do I need to store both short-lived tokens and refresh token or just refresh token in database ?
What is the life time of refresh token ? What happens wehn the refresh tokens expire ?
In case refresh token expires, do I need to re-authorize users to get new short-lived access token and refres tokens ?
Ideally I want to just ask users to sign-up/authorize once.
-------------------------------------------------------------------------------------------------------------------------------
2. The Dropbox API now supports more granular permission scopes.
While you review your application’s OAuth flow, be sure to check for scopes that may not be required.
Qs 2A) I have existing users who have granted permissions using the old way. Are these impacted ?
What about new users - do I need to modify scopes/permissions for my Dropbox App or will my App be automatically be updated to new scopes.
Thanks,
Gagan
1A) The creation of new long-lived access tokens is now considered deprecated, but we don't currently have a plan to disable existing long-lived access tokens. (If that changes, we will of course announce that ahead of time.) That being the case, you can continue using existing long-lived access token(s). You do not need to have these existing users re-authorize the app.
1B) For new users, you should use the new short-lived access token and refresh token functionality. You can find more information in the OAuth Guide and authorization documentation. You do not technically need to store the short-lived access tokens, only the refresh tokens, since you can use the refresh tokens to get new short-lived access tokens on demand.
Refresh tokens do not expire by themselves, unless/until revoked, e.g., by the app or user. If a refresh token is revoked, you should send the user through the authorization flow to get a new one, if they wish to continue using the integration. (This is just like with revoked long-lived access tokens.)
2A) Migrating to scopes does not impact existing access tokens. Existing access tokens will continue to have whatever permission they were originally granted.
You should migrate your app to scopes and select only the scopes needed for your app. You can migrate your app using the "Permissions" tab of the app's page on the App Console. You can see which scope is required for each endpoint in the API documentation.
- Greg-DBDropbox Staff
1A) The creation of new long-lived access tokens is now considered deprecated, but we don't currently have a plan to disable existing long-lived access tokens. (If that changes, we will of course announce that ahead of time.) That being the case, you can continue using existing long-lived access token(s). You do not need to have these existing users re-authorize the app.
1B) For new users, you should use the new short-lived access token and refresh token functionality. You can find more information in the OAuth Guide and authorization documentation. You do not technically need to store the short-lived access tokens, only the refresh tokens, since you can use the refresh tokens to get new short-lived access tokens on demand.
Refresh tokens do not expire by themselves, unless/until revoked, e.g., by the app or user. If a refresh token is revoked, you should send the user through the authorization flow to get a new one, if they wish to continue using the integration. (This is just like with revoked long-lived access tokens.)
2A) Migrating to scopes does not impact existing access tokens. Existing access tokens will continue to have whatever permission they were originally granted.
You should migrate your app to scopes and select only the scopes needed for your app. You can migrate your app using the "Permissions" tab of the app's page on the App Console. You can see which scope is required for each endpoint in the API documentation.
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
5,895 PostsLatest Activity: 5 minutes agoIf you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!