Forum Discussion

New member | Level 2

4 years ago

Solved

short lived access token is invalid seconds after login

Hello everyone, a client of mine wanted to test the app that I made for them for the first time. - They were able to accept that my app is going to access their files ✔︎ - they were redirec...

API

Greg-DB
4 years ago
Thanks for the additional information. That's helpful. The extra portion you're seeing on the access token is a region suffix, which Dropbox will append in certain cases. The access token is still meant to be opaque, so the app should still just use the access token string as provided, including that suffix, if present.

However I see the issue is that the value isn't being decoded before use, so attempting to use the encoded "%3AEUR" version fails. If you use the decoded version ":EUR", the access token should still work.

How are you parsing the access token from the redirected URL? You should make sure to decode it as a URL parameter when doing so, like in the example included with our JavaScript SDK, which uses this method to parse and decode the parameters.

(Alternatively, the newer and now recommended method for client-side apps is to use the PKCE flow, such as shown in this example for our JavaScript SDK. In that flow, the access token isn't returned on the redirected URL itself anyway.)

Greg-DB

Dropbox Community Moderator

4 years ago

Thanks for the additional information. That's helpful. The extra portion you're seeing on the access token is a region suffix, which Dropbox will append in certain cases. The access token is still meant to be opaque, so the app should still just use the access token string as provided, including that suffix, if present.

However I see the issue is that the value isn't being decoded before use, so attempting to use the encoded "%3AEUR" version fails. If you use the decoded version ":EUR", the access token should still work.

How are you parsing the access token from the redirected URL? You should make sure to decode it as a URL parameter when doing so, like in the example included with our JavaScript SDK, which uses this method to parse and decode the parameters.

(Alternatively, the newer and now recommended method for client-side apps is to use the PKCE flow, such as shown in this example for our JavaScript SDK. In that flow, the access token isn't returned on the redirected URL itself anyway.)

enie

New member | Level 2

4 years ago

Thank you so much for the help. Everything works as expected now.

I remember that I saw the `parseQueryString` function in the example and I naively replaced it with a one liner 😬

If the budget allows it I will have another look at the pkce version.

About Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

The Dropbox Community team is active from Monday to Friday. We try to respond to you as soon as we can, usually within 2 hours.

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X, Facebook or Instagram.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!

Forum Discussion

short lived access token is invalid seconds after login

About Dropbox API Support & Feedback

Related Content

Invalid access token

Refresh token generates an invalid access token?

Access

Invalid access token - across multiple Dropbox Team Spaces

I can no longer access files from my second device remotely

Recent Discussions

/oauth2/authorize (code flow) redirects to http://www.dropbox.com/home instead of redirect_uri

Add id and .tag fields to DeletedMetadata in the API

Shared Link - Download in .NET

Dropbox API server root certificate changes for .Net

GetCurrentAccountAsync API Failing for some Team Members while using Impersonation