No Refresh token is returned

Is this a newly created scoped app or an app that you're migrating? The OAuth Guide or blog post, Migrating App Permissions and Access Tokens, might be useful resources here.

In your app's settings there is an OAuth 2 section. Is the "Access token expiration" set to "Short-lived"? 

Its a new scoped app and "Access token expiration" is set to "Short-lived".

Hi! I have exactly the same problem. Can you please clarify what you mean by "swap"?

Where should I use the code (https://api.dropbox.com/oauth2/token)? curl? With any parameter/ID?

Can you please give me an easy procedure to follow, or an example? Thank you

MarteIT By "swap", Taylor was referring to how the app sends the "authorization code" (which is received from the /oauth2/authorize OAuth step) in the request to the Dropbox /oauth2/token endpoint, and how the Dropbox API would send the access token and refresh token back in the response.

I recommend reading the OAuth Guide for an overview of how this process works. Then, refer to the authorization documentation for information on the specific endpoints and parameters to use, including examples of calling /oauth2/token using curl.

Hi Greg, thank you for your reply. I thought Taylor was referring to a somehow different procedure.

What you wrote was already clear to me and that's what I've been trying many times. The problem is that whenever I use the "authorization code" (which is received from the /oauth2/authorize OAuth step) and use it in the request to the Dropbox /oauth2/token endpoint, I get the following error:

{"error_description": "refresh token is malformed", "error": "invalid_grant"}

I'm just using the following command:

curl https://api.dropbox.com/oauth2/token -d grant_type=refresh_token -d refresh_token=["authorization code"] -u [xxxxxx]:[yyyyyyy]

Where am I wrong?

MarteIT To exchange or "swap" the authorization code for an access token and refresh token you should use "grant_type=authorization_code", as shown in the "access token request in code flow" example (or "PKCE code flow token request" example, if using PKCE) in the /oauth2/token documentation.

Using "grant_type=refresh_token" is for when you would later use a refresh token to get a new short-lived access token.

Oh alright! I didn't get that. Honestly I find the documentation really misleading:

Example: refresh token request

curl https://api.dropbox.com/oauth2/token \
    -d grant_type=refresh_token \
    -d refresh_token=<REFRESH_TOKEN> \
    -u <APP_KEY>:<APP_SECRET>

Anyway, now I used:

curl https://api.dropbox.com/oauth2/token -d code=[auth code] -d grant_type=authorization_code -d redirect_uri=https://www.dropbox.com/1/oauth2/display_token -u [xxxxxx]:[yyyyyy]

and I got this error:

{"error_description": "redirect_uri mismatch", "error": "invalid_grant"}

I set the Redirect URIs --https://www.dropbox.com/1/oauth2/display_token--

as indicated in some of your previous replies. Still can't get it work. Any suggestion? Thank you.

MarteIT The 'redirect_uri' value you supply to /oauth2/token, if any, should exactly match the 'redirect_uri' value supplied to /oauth2/authorize, if any, when that particular authorization code was retrieved. If they don't match, you'll get this error.

The https://www.dropbox.com/1/oauth2/display_token  page is a basic page provided by Dropbox for use with the "token" flow (if the app doesn't have its own redirect URI to use and so instead needs to display the access token directly to the user), not the "code" flow as you're using here, so it probably doesn't make sense for your use case.

Finally it worked!! 🙂

Thank you for your patience.