cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
We love to hear how every person gets the most from Dropbox, and it seems everyone has a slightly different use for it - tell us yours here!

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

API Newbie: Authenticating and using on client side while keeping accessToken/App secret hidden

API Newbie: Authenticating and using on client side while keeping accessToken/App secret hidden

FuriousPig
Explorer | Level 3

Hi, I am unable to figure out the flow to get clients who are logged in to my app to access Dropbox without creating a `const dbx = new Dropbox({accessToken:<MY PERMANENT ACCESS TOKEN THAT SHOULD BE HIDDEN>})` class. I can authenticate the server on the back end but then I don't want files to have to go via the server, when the client should be able to load and save documents from the client side.

 

Am I missing something in the documentation or am I just unaware of some basic Node.js knowledge that does allow me to create the class on the back end then pass the `dbx` class to be used on the client? I can't see that being a thing, somehow.

 

Alternatively, I imagine something like a fetch call to a dropbox endpoint with the client_id that then checks with my provided server endpoint for a valid accessToken or secret key and if verified returns to the client with one-time accessToken for use during that session?

 

Thanks for the guidance!

1 Reply 1

Re: API Newbie: Authenticating and using on client side while keeping accessToken/App secret hidden

Greg-DB
Dropboxer

While you can plug in an access token for your own account like you showed here, the API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. That's accomplished by implementing the OAuth flow in your app, so that each user can authorize the app to access their own Dropbox account (such that the app receives a distinct access token for each user). You can find information on how this works in the OAuth Guide.

 

For the JavaScript SDK in particular, there's an example of doing this with a node server-side app here, as well as an example of doing this in a JavaScript client-side app here.

 

Alternatively, do mean that your end-users should only be interacting with the contents of your own one Dropbox account? That's not the intended/supported use of the API, but it is technically possible. You shouldn't expose your access token to the end-users client-side though, so in that case you may want to use filesGetTemporaryLink and filesGetTemporaryUploadLink instead. That is, you can make those calls using your access token on the server, and just pass down the links (but not the access token) to the client.

Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropboxer
What do Dropbox user levels mean?
Need more support?