In order to get an access token for a user's account in order to interact with the user's Dropbox account programmatically, you do need to get authorization from the user at least once. An app gets authorization from the user by sending them through the OAuth app authorization flow. If the user authorizes the app, the app will receive an access token it can use to call the API, and optionally a refresh token. The app can store and re-use that, so it doesn't need to send the user through the authorization flow again.
Depending on what settings you use though, you may need to send the use through the authorization flow again occasionally to get a new access token. Please first read the OAuth Guide for information on the different options available and what kind of input they do or don't require from the user.
In addition to what Greg said, I would add that there is a very good reason for requiring that the user go through the explicit authorization process on a web page at least once. If there were a way to accomplish the same thing without ever sending the user to a web page, it would then be possible for malicious app code to trick the user into devulging their Dropbox password to the app. If an app can see the user's Dropbox password then the app could send it to a malicious entity that could then break into the user's Dropbox and compromise their privacy. As it is, the app never sees the user's password. And the web page ensures that the user is fully informed as to why they are being asked for their password, and their security is protected.