Your workflow is unique 👨💻 - tell us how you use Dropbox here.
Forum Discussion
Access token and revoke
To whom it may concer,
1. With the API version 2, will the api token get expired ever ?
2. Assuming I want to revoke the token by making a call to /auth/token/revoke. And then try to generate the token again, at this time, will be new token the same as the revoked one, or are they 2 different tokens ?
Thanks,
8 Replies
- Greg-DB
Dropbox Community Moderator
1. Access tokens for the Dropbox API, regardless of which version you're using, don't expire by themselves. Users and apps can explicitly revoke tokens though.
2. In this case, you'd get a new access token, not the old one. - Hi Greg,
Since the token does not expired itself, is there a way or function from the api to validate the user to make sure the token will not be used by someone else, in case of browser hack or something like that ? - Hi Greg,
Thanks for getting back to me and sorry for the late response. I understand the part that we need to have the token effectively expire and it is best to be stored on the app server, but for instance if I set the token to be a cookie and store on a user's browser and have it expires in 3 days, but somehow the token is exploited by accident and is being used by another different user before the token is expired. In another word, a token from user A is being used by user B (worse scenario). And if this happen, is there a way to validate this token when it's passed to the api to make sure the token belong to the correct user ?
Thanks - Greg-DB
Thanks for elaborating! No, the API doesn't offer anything quite like that. If the user has any reason to believe their browser and/or access tokens have been compromised though, they can revoke sessions and tokens on their account security page.
- Ah ok, thanks Greg.
- I did a "revoke" using the API explorer and tried to download a file, it came back and reported that
{
"error_summary": "invalid_access_token/...",
"error": {
".tag": "invalid_access_token"
}
}
However, I could still get access to the files inside my App folder by making API calls using the same access token. How is this possible? - Greg-DBHi kgashok, thanks for the report. I can't seem to reproduce this issue though. Are you sure you're using the same exact token? Revoking a token applies to that single token only, but any particular user-app pair can have multiple access tokens.
If it's definitely the same token, please open an API ticket with the all of the relevant requests/responses so we can look into it:
https://www.dropbox.com/developers/contact
About Dropbox API Support and Feedback
Get help with the Dropbox API from fellow developers and experts.
