I want a handful of users to be able to read and write files to a folder programmatically.
I've created an App and, using the "Generate Token" button, I can read and write to the App folder programmatically. Now, I want to enable a limited set of other users to do the same. What's the best way to do so?
The App page says I should use OAuth to add others to the App. However, why not just generate and share one token per user?That way, I can restrict access to the users I want and, if needed, revoke the token. If I use OAuth, how would I limit access to just the few users that qualify?
The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. (And for apps using the "app folder" permission, each user would get their own distinct app folder.) To allow arbitrary users to do so, the app would implement the OAuth app authorization flow so that it can programmatically receive an access token for each account.
It sounds you instead want to have all of your end-users connect to the same app folder though, from your specific account only (not their own accounts). Is that correct?
While this is technically possible, we generally don't recommend doing so, for various technical and security reasons. However, if you did want to go this route, manually generating an access token for each end-user is one way to do so.
Greg - thank you for the response and your summary is correct.
I do not want to enable arbitrary users to link their own Dropbox account.
I do want a collaborative team of users to connect to the same App folder which we will use for dynamic, progammatic interactions on the same set of files.
Could you help me understand the security risks? For example, I understand everyone will have read/write access to the App/files and there's some concern there but that's the goal and I don't mind. Browsing the API, I don't see any more serious security risks but please let me know if you are aware of any.
Thanks for clarifying. For this sort of use case, we would generally recommend having each user use their own account, and share the files via a shared folder. You could then use a full Dropbox app connected to each individual account to operate on the contents of the shared folder.
That said, distributing access tokens for an app folder in your account would also work. The security concerns are indeed about the inability to prevent a malicious user who was able to get the access token from performing malicious operations. If all of the end-users are trusted, however, and can be trusted to properly secure the access tokens, then that concern is allayed. (And using the app folder is a good way to minimize the potential exposure.) However, I should disclaim that I cannot offer general security advice, so you may want to consult with a security expert if you have any general security questions.
Have a question? Our Dropbox Community is here to help you find an answer!
You won’t have to wait too long for a reply, but why not learn more about the Community while you’re here.
Not the right discussion for you? Find out what else our Community has to say about API Support.
Or, search our Help Center for even more.