Thanks for the report. If I understand your message correctly though, this is the expected behavior, but please let me know if I've misunderstood or misread your message.
The account that "owns" an API app (and correspondingly owns its app key and secret), that is, the account that registered that API app, is not necessarily going to be the same as the account that any particular access token for that app allows access to.
Put another way:
- app key and secret: identify a particular app, and each app is "owned" by one account, but do not themselves enable access to any account
- access token: identifies a particular app and user pair, but the user is not necessarily the same as the app owner above
So, regardless of who registered the app in the first place, the resulting access token is going to be connected to the account that was signed in and authorized the app on the /oauth2/authorize page.
One potential point of confusion here is where you said "it gives the access token of the App created in Dropbox Y.". Do you mean that Dropbox Y also registered an API app, and that the resulting access token is for that app? If so, how are you checking that? The access token in this scenario should be for Dropbox account Y, but for the app owned by Dropbox account X.
By the way, we generally don't recommend having users register their own apps to get their own app keys and secrets. You as the developer of the app should just do that once per app, and use the resutling app key and secret in your app, in order to get access tokens for any end-users using your app. (Once in production mode, a single app can be used by any number of users.)
