cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to know what we learned at IBC? Check out our learnings on media, remote working and more right here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to switch to short live access token?

How to switch to short live access token?

Aristide
Helpful | Level 7
Go to solution

Hello,
I am developing an application on android using the dropbox API. For UI construction reasons I don't use your SDK but the regular flow because I go through my own web client to retrieve the code and then the access token.

 

So far I was using the long live version of access token. How can I now continue to use my implementation and work with short live access tokens and thus get I guess a refresh token?

 

Thanks.

1 Accepted Solution

Accepted Solutions

Aristide
Helpful | Level 7
Go to solution

Okay,
If I may say so, it would be good to update the migration document, because it causes confusion by showing the token type selection.

https://dropbox.tech/developers/migrating-app-permissions-and-access-tokens

 

Last question, the principle of obtaining a short-term access token will remain perennial, and it will not subsequently be compulsory to go through implicit grant or PCKE?

In the meantime, thank you for your very appreciable responsiveness.
Regards.

View solution in original post

5 Replies 5

Greg-DB
Dropbox Staff
Go to solution

As you found, Dropbox is currently in the process of switching to only issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.

Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. You can find more information in the OAuth Guide and authorization documentation. For client-side apps, such as on Android, you should use the "PKCE" flow in particular.

Aristide
Helpful | Level 7
Go to solution

Thank you Greg-DB,
if I understand correctly, as with the other APIs, I just have to save a refresh token locally and generate a new access token with an api request when the expiration has arrived?  (https://api.dropbox.com/oauth2/token)

So it's a short live access token operation, because on my developer console I cannot specify short live, Access token experiration does not appear?

 

NB : my app is in development mode.

Greg-DB
Dropbox Staff
Go to solution

I just have to save a refresh token locally and generate a new access token with an api request when the expiration has arrived?

Yes, that's correct. To maintain long-term access, you should store and re-use the refresh token whenever needed. You can get a new short-lived access token whenever needed by calling /oauth2/token with the refresh token.

 

So it's a short live access token operation, because on my developer console I cannot specify short live, Access token experiration does not appear?

Yes, going forward you should use short-lived access tokens and (optionally) refresh tokens for all further authorizations. As we finish rolling out this change, that "Access token expiration" setting will no longer be available, and so getting new long-lived access tokens will not be possible.

 

Aristide
Helpful | Level 7
Go to solution

Okay,
If I may say so, it would be good to update the migration document, because it causes confusion by showing the token type selection.

https://dropbox.tech/developers/migrating-app-permissions-and-access-tokens

 

Last question, the principle of obtaining a short-term access token will remain perennial, and it will not subsequently be compulsory to go through implicit grant or PCKE?

In the meantime, thank you for your very appreciable responsiveness.
Regards.

Greg-DB
Dropbox Staff
Go to solution

Short-lived access tokens expire after a few hours (be sure to check the actual API response for the specific expiration time). If the app requests "offline" access and stores the resulting access token, it does not need to send the user through the app authorization flow again, as it can use the refresh token without further manual interaction. If the app requests "online" access, it will only have access for as long as the short-lived access token is valid; after that, it would need to send the user through the app authorization flow again if the user wishes to continue using the integration.

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    Aristide Helpful | Level 7
What do Dropbox user levels mean?