Start 2025 on time and up to date. Seamlessly integrate your calendars into Dropbox with these simple steps.

Forum Discussion

Inke's avatar
Inke
New member | Level 2
3 years ago

PHP: Error in call to API function "files/upload": The given OAuth 2 access token is malformed.

How do I fix this? The code is:

<?php$path = '(full path to file)';

$fp = fopen($path, 'rb');
$size = filesize($path);

$cheaders = array('Authorization: Bearer <API>',
'Content-Type: application/octet-stream',
'Dropbox-API-Arg: {"path":"/test/'.$path.'", "mode":"add"}');

$ch = curl_init('https://content.dropboxapi.com/2/files/upload');
curl_setopt($ch, CURLOPT_HTTPHEADER, $cheaders);
curl_setopt($ch, CURLOPT_PUT, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
curl_setopt($ch, CURLOPT_INFILE, $fp);
curl_setopt($ch, CURLOPT_INFILESIZE, $size);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);

echo $response;
curl_close($ch);
fclose($fp);

?>

  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Staff rankDropbox Staff

    A "The given OAuth 2 access token is malformed" error should indicate that the string you're passing as the Bearer access token in your request, shown as "<API>" in the code you shared, is not a valid Dropbox API access token. Make sure you're passing in the exact access token as you received it from Dropbox, without any modifications or extra characters/whitespace, etc. You can find more information on the authorization flow and access tokens in the OAuth Guide and authorization documentation.

    • Inke's avatar
      Inke
      New member | Level 2

      The token is short living. How do I change it so refresh token from that?

      • Greg-DB's avatar
        Greg-DB
        Icon for Dropbox Staff rankDropbox Staff

        Dropbox is in the process of switching to only issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.

        Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. You can find more information in the OAuth Guide and authorization documentation.

        For reference, while the creation of new long-lived access tokens is now deprecated, we don't currently have a plan to disable existing long-lived access tokens. (If that changes, we will of course announce that ahead of time.) That being the case, you can continue using existing long-lived access token(s) without interruption, if you have any. Also, note though that after the change you won't be able to create new long-lived access tokens.