You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.

Forum Discussion

Inke's avatar
Inke
New member | Level 2
3 years ago

PHP: Error in call to API function "files/upload": The given OAuth 2 access token is malformed.

How do I fix this? The code is:

<?php$path = '(full path to file)';

$fp = fopen($path, 'rb');
$size = filesize($path);

$cheaders = array('Authorization: Bearer <API>',
'Content-Type: application/octet-stream',
'Dropbox-API-Arg: {"path":"/test/'.$path.'", "mode":"add"}');

$ch = curl_init('https://content.dropboxapi.com/2/files/upload');
curl_setopt($ch, CURLOPT_HTTPHEADER, $cheaders);
curl_setopt($ch, CURLOPT_PUT, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
curl_setopt($ch, CURLOPT_INFILE, $fp);
curl_setopt($ch, CURLOPT_INFILESIZE, $size);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);

echo $response;
curl_close($ch);
fclose($fp);

?>

  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Staff rankDropbox Staff

    A "The given OAuth 2 access token is malformed" error should indicate that the string you're passing as the Bearer access token in your request, shown as "<API>" in the code you shared, is not a valid Dropbox API access token. Make sure you're passing in the exact access token as you received it from Dropbox, without any modifications or extra characters/whitespace, etc. You can find more information on the authorization flow and access tokens in the OAuth Guide and authorization documentation.

    • Inke's avatar
      Inke
      New member | Level 2

      The token is short living. How do I change it so refresh token from that?

      • Greg-DB's avatar
        Greg-DB
        Icon for Dropbox Staff rankDropbox Staff

        Dropbox is in the process of switching to only issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.

        Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. You can find more information in the OAuth Guide and authorization documentation.

        For reference, while the creation of new long-lived access tokens is now deprecated, we don't currently have a plan to disable existing long-lived access tokens. (If that changes, we will of course announce that ahead of time.) That being the case, you can continue using existing long-lived access token(s) without interruption, if you have any. Also, note though that after the change you won't be able to create new long-lived access tokens.