cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
What’s new: end-to-end encryption, Replay and Dash updates. Find out more about these updates, new features and more here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dropbox App sharing questions

Labels:

Dropbox App sharing questions

edmlabs
New member | Level 2
‎03-12-2019 10:38 AM

I want a handful of users to be able to read and write files to a folder programmatically.

I've created an App and, using the "Generate Token" button, I can read and write to the App folder programmatically. Now, I want to enable a limited set of other users to do the same. What's the best way to do so?

The App page says I should use OAuth to add others to the App. However, why not just generate and share one token per user?That way, I can restrict access to the users I want and, if needed, revoke the token. If I use OAuth, how would I limit access to just the few users that qualify?

Labels:
  • 0 Likes
  • 3 Replies
  • 876 Views
0 Likes
3 Replies 3

Greg-DB
Dropbox Staff
‎03-12-2019 12:21 PM

The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. (And for apps using the "app folder" permission, each user would get their own distinct app folder.) To allow arbitrary users to do so, the app would implement the OAuth app authorization flow so that it can programmatically receive an access token for each account.

It sounds you instead want to have all of your end-users connect to the same app folder though, from your specific account only (not their own accounts). Is that correct?

While this is technically possible, we generally don't recommend doing so, for various technical and security reasons. However, if you did want to go this route, manually generating an access token for each end-user is one way to do so. 

edmlabs
New member | Level 2
‎03-12-2019 02:09 PM

Greg - thank you for the response and your summary is correct.

I do not want to enable arbitrary users to link their own Dropbox account.

I do want a collaborative team of users to connect to the same App folder which we will use for dynamic, progammatic interactions on the same set of files. 

Could you help me understand the security risks? For example, I understand everyone will have read/write access to the App/files and there's some concern there but that's the goal and I don't mind. Browsing the API, I don't see any more serious security risks but please let me know if you are aware of any.

0 Likes

Greg-DB
Dropbox Staff
‎03-12-2019 02:46 PM

Thanks for clarifying. For this sort of use case, we would generally recommend having each user use their own account, and share the files via a shared folder. You could then use a full Dropbox app connected to each individual account to operate on the contents of the shared folder.

That said, distributing access tokens for an app folder in your account would also work. The security concerns are indeed about the inability to prevent a malicious user who was able to get the access token from performing malicious operations. If all of the end-users are trusted, however, and can be trusted to properly secure the access tokens, then that concern is allayed. (And using the app folder is a good way to minimize the potential exposure.) However, I should disclaim that I cannot offer general security advice, so you may want to consult with a security expert if you have any general security questions.

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    edmlabs New member | Level 2
What do Dropbox user levels mean?