One month down in 2025: How are your resolutions coming along? Check out how to get back on track here.
Forum Discussion
sam93
6 years agoExplorer | Level 3
Getting wrong access token
Hi Team,
We have a web application in which we asks users to provide App Key and App Secret. After that we generate the access token and proceed ahead with our logic.
Recently, we faced a weird issue, we obtained App Key and App Secret from the app created in Dropbox X.
We opened up the web application in a browser where we are logged into a Dropbox Y account.
Now, while authorizing through the obtained App Key and App Secret which is from Dropbox X, it gives the access token of the App created in Dropbox Y.
Could you please help us with what could be wrong?
We are using /oauth2/authorize to obtain the access token.
Thanks in advance for your help!
Regards,
Sam
- Greg-DB
Dropbox Staff
Thanks for the report. If I understand your message correctly though, this is the expected behavior, but please let me know if I've misunderstood or misread your message.
The account that "owns" an API app (and correspondingly owns its app key and secret), that is, the account that registered that API app, is not necessarily going to be the same as the account that any particular access token for that app allows access to.
Put another way:
- app key and secret: identify a particular app, and each app is "owned" by one account, but do not themselves enable access to any account
- access token: identifies a particular app and user pair, but the user is not necessarily the same as the app owner above
So, regardless of who registered the app in the first place, the resulting access token is going to be connected to the account that was signed in and authorized the app on the /oauth2/authorize page.
One potential point of confusion here is where you said "it gives the access token of the App created in Dropbox Y.". Do you mean that Dropbox Y also registered an API app, and that the resulting access token is for that app? If so, how are you checking that? The access token in this scenario should be for Dropbox account Y, but for the app owned by Dropbox account X.
By the way, we generally don't recommend having users register their own apps to get their own app keys and secrets. You as the developer of the app should just do that once per app, and use the resutling app key and secret in your app, in order to get access tokens for any end-users using your app. (Once in production mode, a single app can be used by any number of users.)
About Discuss Dropbox Developer & API
Make connections with other developers807 PostsLatest Activity: 2 hours ago
If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!