cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

New Dropbox API Updates

New Dropbox API Updates

gagsbh
Explorer | Level 4
Go to solution

Hello @Greg-DB 

 

I received an email from Dropbox - Action Required: Important Dropbox API Updates.

I have an existing Dropbox app that uses old way of scopes/permissions and long-lived access tokens.
What changes do I need to do on the following 2 Dropbox API updates ?

------------------------------------------------------------------------------------------------------------------------------
1. As a reminder, on September 30th, 2021, the Dropbox OAuth flow will no longer return new long-lived access tokens.
It will instead return short-lived access tokens, and optionally return refresh tokens. Existing tokens are not impacted.

Apps that require background access will need to update their code to use refresh tokens, which is made easier by using our updated SDKs.
All other apps should ensure that users are directed to re-authorize upon token expiration.
---------

Qs 1A) I have an existing app that stores long-lived access token in the database by asking users to do one-time authroization.
Do I need to migrate these customers to short-lived access tokens or will the old long-lived access tokens work ?

 

Qs 1B) For new customers, what design changes are required to be done by me ?
Do I need to store both short-lived tokens and refresh token or just refresh token in database ?
What is the life time of refresh token ? What happens wehn the refresh tokens expire ?
In case refresh token expires, do I need to re-authorize users to get new short-lived access token and refres tokens ?
Ideally I want to just ask users to sign-up/authorize once.
-------------------------------------------------------------------------------------------------------------------------------

 

2. The Dropbox API now supports more granular permission scopes.
While you review your application’s OAuth flow, be sure to check for scopes that may not be required.

Qs 2A) I have existing users who have granted permissions using the old way.  Are these impacted ? 

What about new users - do I need to modify scopes/permissions for my Dropbox App or will my App be automatically be updated to new scopes.

Thanks,
Gagan

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution

1A) The creation of new long-lived access tokens is now considered deprecated, but we don't currently have a plan to disable existing long-lived access tokens. (If that changes, we will of course announce that ahead of time.) That being the case, you can continue using existing long-lived access token(s). You do not need to have these existing users re-authorize the app.

 

1B) For new users, you should use the new short-lived access token and refresh token functionality. You can find more information in the OAuth Guide and authorization documentation. You do not technically need to store the short-lived access tokens, only the refresh tokens, since you can use the refresh tokens to get new short-lived access tokens on demand.

 

Refresh tokens do not expire by themselves, unless/until revoked, e.g., by the app or user. If a refresh token is revoked, you should send the user through the authorization flow to get a new one, if they wish to continue using the integration. (This is just like with revoked long-lived access tokens.)

 

2A) Migrating to scopes does not impact existing access tokens. Existing access tokens will continue to have whatever permission they were originally granted.

 

You should migrate your app to scopes and select only the scopes needed for your app. You can migrate your app using the "Permissions" tab of the app's page on the App Console. You can see which scope is required for each endpoint in the API documentation.

View solution in original post

1 Reply 1

Greg-DB
Dropbox Staff
Go to solution

1A) The creation of new long-lived access tokens is now considered deprecated, but we don't currently have a plan to disable existing long-lived access tokens. (If that changes, we will of course announce that ahead of time.) That being the case, you can continue using existing long-lived access token(s). You do not need to have these existing users re-authorize the app.

 

1B) For new users, you should use the new short-lived access token and refresh token functionality. You can find more information in the OAuth Guide and authorization documentation. You do not technically need to store the short-lived access tokens, only the refresh tokens, since you can use the refresh tokens to get new short-lived access tokens on demand.

 

Refresh tokens do not expire by themselves, unless/until revoked, e.g., by the app or user. If a refresh token is revoked, you should send the user through the authorization flow to get a new one, if they wish to continue using the integration. (This is just like with revoked long-lived access tokens.)

 

2A) Migrating to scopes does not impact existing access tokens. Existing access tokens will continue to have whatever permission they were originally granted.

 

You should migrate your app to scopes and select only the scopes needed for your app. You can migrate your app using the "Permissions" tab of the app's page on the App Console. You can see which scope is required for each endpoint in the API documentation.

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
What do Dropbox user levels mean?