cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Discuss Dropbox Developer & API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: refresh token is malformed | How to get new access token by refresh token

refresh token is malformed

helloBichya
Explorer | Level 4
Go to solution

I am trying to generate new access token using app_key, app_secret and refresh_token obtained using the following url.

 

https://www.dropbox.com/oauth2/authorize?client_id=<APP_KEY>&token_access_type=offline&response_type=code

but the response returned is

 

 

 

 

    data: {
      error: 'invalid_grant',
      error_description: 'refresh token is malformed'
    }

 

 

 

 

My App Specifications -

Permission Type -Scoped App (App Folder)

 

Code - 

 

 

 

 

const axios = require('axios');

	const clientId = 'xx';
	const clientSecret = 'xx';
	const refreshToken = 'xx';
	
	axios({
	  method: 'post',
	  url: 'https://api.dropbox.com/oauth2/token',
	  params: {
		grant_type: 'refresh_token',
		refresh_token: refreshToken,
		client_id: clientId,
		client_secret: clientSecret
	  }
	})
	.then(response => {
	  const accessToken = response.data.access_token;
	  console.log(`Access token: ${accessToken}`);
	  // Use the access token to make API requests
	})
	.catch(error => {
	  console.error(error);
	});
	

 

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution

Thanks for following up and sharing your code. I'm glad to hear you got this sorted out.

 

To confirm, the refresh token is not the value returned by www.dropbox.com/oauth2/authorize... itself. Using www.dropbox.com/oauth2/authorize with 'response_type=code' gives an 'authorization code' (sometimes also called 'access code').

 

The refreshToken value should be the 'refresh_token' returned by /oauth2/token when you called /oauth2/token with 'grant_type=authorization_code'. That's different from the 'access token' as well as the 'authorization code'; the three are not interchangeable.

 

For anyone looking for more information, refer to the following resources for information on how to use the app authorization flow:

View solution in original post

3 Replies 3

Здравко
Legendary | Level 20
Go to solution

Hi @helloBichya,

Ok, but how/where did you get your refresh token from? 🧐 You haven't shown that in your post. 🤔.

 

... or maybe you're trying use the code as a refresh token? 😁 They are different things. 😉 Take a look once again in documentation.

Hope this helps.

helloBichya
Explorer | Level 4
Go to solution

Yes, you are right. I am dumb. Thank you for the help @Здравко . I treated the authorization code as refresh token.
My story -

I want to post images to dropbox from netlify functions. I used short lived access tokens , since they expire i wanted refresh token to get a new short lived access token.

 

Solution for someone like me- (If your use case is similar to mine)

 

Step 1 - Generate authorization code for your app through the following url by replacing <APP_KEY> with your app key.

https://www.dropbox.com/oauth2/authorize?client_id=<APP_KEY>&token_access_type=offline&response_type=code

Step 2 - After replacing visit the url and grant authorization. An authorization code will get generated (43 characters approx). copy that.

Step 3 - Now we have to pass authorization code, app_key , app_secret to curl request to generate refresh token. I am using postman.  

Flow - Open Postman -> Import -> Raw text -> paste curl request and replace <APP_KEY>, <APP_SECRET>, <ACCESS_CODE> (i.e authorization code) -> Continue -> Send Request.

 

curl --location --request POST 'https://api.dropboxapi.com/oauth2/token' \
-u '<APP_KEY>:<APP_SECRET>'
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'code=<ACCESS_CODE>' \
--data-urlencode 'grant_type=authorization_code'

 

 Done - You have obtained json which contains refresh_token. 

________________________________________________________________________________

 

Now if you want to get new access token , you can use below code. or use dropbox sdk.

 

Code - 

 

const axios = require('axios');

	const clientId = 'xx';
	const clientSecret = 'xx';
	const refreshToken = 'xx';
	
	axios({
	  method: 'post',
	  url: 'https://api.dropbox.com/oauth2/token',
	  params: {
		grant_type: 'refresh_token',
		refresh_token: refreshToken,
		client_id: clientId,
		client_secret: clientSecret
	  }
	})
	.then(response => {
	  const accessToken = response.data.access_token;
	  console.log(`Access token: ${accessToken}`);
	  // Use the access token to make API requests
	})
	.catch(error => {
	  console.error(error);
	});

 

 

 

Greg-DB
Dropbox Staff
Go to solution

Thanks for following up and sharing your code. I'm glad to hear you got this sorted out.

 

To confirm, the refresh token is not the value returned by www.dropbox.com/oauth2/authorize... itself. Using www.dropbox.com/oauth2/authorize with 'response_type=code' gives an 'authorization code' (sometimes also called 'access code').

 

The refreshToken value should be the 'refresh_token' returned by /oauth2/token when you called /oauth2/token with 'grant_type=authorization_code'. That's different from the 'access token' as well as the 'authorization code'; the three are not interchangeable.

 

For anyone looking for more information, refer to the following resources for information on how to use the app authorization flow:

Need more support?