cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: Invalid access token

Invalid access token

Muneebzzzz
Explorer | Level 4

I generated an access token while creating my project on dropbox app console, and used that token to let my user's to fetch data from my drobox using my android app, everything worked fine for months but today i was getting an exception that my access token is not valid, then i generated a new access token from app console and it again started working, now that my token is changed and is affecting my users as they have the old one.. i want to know what has happened and how my token becomes invalid, is the token got changed or what.. i have over 5k installs on google play and now my all users are affecting

14 Replies 14

Greg-DB
Dropbox Staff

By default, Dropbox API access tokens for your app(s) don't expire by themselves, but there a number of different ways that a Dropbox API access token can become invalid:

  • the user can revoke all access tokens for an app by unlinking it on the connected apps page
  • any client with the access token can revoke the access token by calling /2/auth/token/revoke
  • if the app uses the "app folder" permission, the token can be disabled by the user deleting the app folder itself in the Dropbox account, either via the Dropbox website or any client
  • the app can be disabled
  • the account that owns the app can be disabled
  • the connected account can be disabled

Also, I should note that the Dropbox API was designed with the intention that each end-user would link their own Dropbox account, in order to interact with their own files, in which case they would only have access to their own access token(s).

It is technically possible to connect to just one account, by always using a specific access token, for all end-users of your app, and it sounds like that's what you're doing in this case. Please be aware that we don't recommend doing so, for various technical and security reasons. This is especially true for client-side apps, such as Android apps, as they can't keep the access token a secret from the end-users.

Muneebzzzz
Explorer | Level 4
Aslo note down that my app console is still in development mode and my app is published on playstore,i have hard coded the access token in my android app so the users can able to fetch data from my dropbox withouth any aunthentication, is that may be the reason that my access token gets invalid because my app console is still in development mode?

Greg-DB
Dropbox Staff

No, your app being in development mode would not affect access token validity. The development mode only limits how many different Dropbox accounts can be connected to your app. Since you are only connecting your app to your one account, that isn't relevant. 

Muneebzzzz
Explorer | Level 4
I got the information while generating the access token that i should use standard auth process to generate access tokens for my users. What does that mean then

Greg-DB
Dropbox Staff

It sounds like you're referring to using the OAuth app authorization flow. That's the process you would implement in your app for the normal case where you have each end-user connect their own Dropbox account to receive their own access token. You can find more information in the OAuth Guide and authorization documentation (as well as the documentation for the SDK/library you're using, if any). 

In your case, since you're using the non-recommended method of hard-coding your own access token in the app you distribute to users, you don't need to use the OAuth app authorization flow at all. 

For reference, the access token you get for your own account by using the "Generate" button on your app's page on the App Console is functionally the same as an access token you would retrieve for your account via the OAuth app authorization flow.

Muneebzzzz
Explorer | Level 4
This is sample code which iam using to make my user a client through access token.. am i making some mistake which can cause to my access token invalid?

public class Main { private static final String ACCESS_TOKEN = "<ACCESS TOKEN>"; public static void main(String args[]) throws DbxException { // Create Dropbox client DbxRequestConfig config = DbxRequestConfig.newBuilder("dropbox/java-tutorial").build(); DbxClientV2 client = new DbxClientV2(config, ACCESS_TOKEN); }

FullAccount account = client.users().getCurrentAccount();

ListFolderResult result = client.files().listFolder(""); while (true) { for (Metadata metadata : result.getEntries()) { System.out.println(metadata.getPathLower()); } if (!result.getHasMore()) { break; } result = client.files().listFolderContinue(result.getCursor()); }

Greg-DB
Dropbox Staff

No, there's nothing in this code that would invalidate the access token.

Please refer to my earlier comment for a list of things that can disable an access token.

Muneebzzzz
Explorer | Level 4
I have read them all and i didnot use any code which could lead my user to invalidate access token, my app was working fine for 10 months without any trouble but this month i have got two times invalid token exceptions and i do not know what could cause it, i have to update my app with new token each time

Greg-DB
Dropbox Staff

While you yourself may not have revoked the token, it's possible someone who downloaded your app did. Since you embedded your access token in the app, someone could extract it from the app and then use /2/auth/token/revoke (or any other API endpoint) themselves. This is one of the reasons we don't recommend distributing your own access token like this.

Need more support?