In order for a Dropbox API app to make an API call to access a user's account, the app will need an access token for that user's account. The app can get one by having the user authorize the app to access their account, via the OAuth app authorization flow. You can find more information on how this works in the OAuth Guide and authorization documentation.
Once the user authorizes the app and the app receives the access token, that app is considered "linked" to that account. The app can store and re-use the access token for that user for future API calls, without having the user re-authorize the app again. API calls are initiated by the API app itself, and should contain the access token.
Also, once the app is linked to the account, if the app has a webhook URI registered, changes in the account will result in Dropbox sending a webhook notification to the app's registered webhook URI(s), indicating that something has changed in that account. Webhook notifications are initiated by the Dropbox servers, and do not contain an access token.