@novaut wrote:
...
One question for how long refresh_token is alive? Is it long-lived?
...
Hi @novaut,
Yes, it's long lived token. The refresh token remains valid till explicit revoke either from application itself or user that granted access for your application to its data.
@novaut wrote:
...
I successfully got the file from Dropbox using the refresh_token and it doesn't ask for http authentication 
...
You make me doubt you have understand everything correctly. You can download a file only with access token authentication, not directly with refresh token!!! The refresh token helps you keep receiving valid access token without further user actions.
Hope this was just a confusion while typing.
Good luck.