I have a client wanting to link DropBox to FileMaker Pro. I have created the APIs to read, write, delete and grab a shared link, which is all the client wants. But here's the thing: A client has looked at the process of establishing a connection to DropBox using my API authentication script and noticed the numerous obstacles needed to grab an access token before finally allowing access to the DropBox files. We have to login using username and password (fair enough). But then we must solve a puzzle (three times) to prove we are human, followed by clicking on two OK buttons to confirm that the API app created in DropBox can connect to the DropBox files, copy the authorization code, and paste it into the app, and finally the client gets to see the "You are authenticated!". What a mess, and here we are in the 21st century trying to make life easier for the client.
Is there any way we can simplify this authentication process? For example, the APIs for connecting to MYOB does not constantly ask whether the app can connect to Dropbox every time we authenticate. It was already established at time of setting up the app.
Is there something similar in DropBox?
In the meantime I am going to remove the window showing the app has been finally authenticated to a simple message in the UI so the client can straight away work with the files.
While there isn't a way to simplify the authentication, captcha, and authorization process (though the captcha isn't always shown), this process only needs to be done once per user. After that, the app can store and re-use the resulting credentials without reprocessing that flow.
In order to maintain long-term access to an account via the API without having to manually re-authorize the app repeatedly, the app should have the user process the OAuth app authorization process once, but request "offline" access when doing so.
When requesting offline access, the app will receive a "refresh token". The app can store and re-use that refresh token repeatedly in order to retrieve new short-lived access tokens, whenever needed. This process of using a refresh token to get a new short-lived access token can be done entirely programmatically, and does not require manual user interaction. Refresh tokens don't expire (though they can be revoked on demand).