cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Back again with another edition of 'How we use Dropbox', so find out how Emma uses to-do lists to get it all done here!

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is linking necessary to download files?

Is linking necessary to download files?

Ghulam A.
New member | Level 1

Is it possible to download files from my app folder (Dropbox) to my app without linking an account? If so, how would I do that?

30 Replies 30

Re: Is linking necessary to download files?

Greg-DB
Dropboxer

[Cross-linking for reference: https://stackoverflow.com/questions/34603685/how-to-download-files-to-app-from-app-folder-without-li... ]

Based on the additional information you posted in your StackOverflow question, it sounds like you just want your app to connect to your own Dropbox account, as opposed to the accounts of your end-users.

The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. However, it is technically possible to connect to just one account. The SDKs don't offer explicit support for it and we don't recommend doing so, for various technical and security reasons.

However if you did want to go this route, instead of kicking off the authorization flow, you would use an existing access token for your account and app. (Just be careful not to revoke it, e.g. via https://www.dropbox.com/account/security .) Also, note that while embedding an access token isn't great, you definitely shouldn't embed your username and password.

For reference, here are some other similar questions on StackOverflow where I've posted answers:

https://stackoverflow.com/questions/15014001/allow-dropbox-api-to-access-my-account-on-users-device
https://stackoverflow.com/questions/27834922/auto-login-dropbox-account-on-core-api-without-login-pr...

Re: Is linking necessary to download files?

Ghulam A.
New member | Level 1

Thank you so much! I looked through your previous answers and I think I got it. I'll try implementing it when I get home. I saw that you cited security concerns. I would of course only be downloading non-personal PDFs and Word documents. (Informational packets and forms)

There wouldn't be any problem getting my app approved to the App Store would there? Also, are there any alternate solutions that would allow me to check each file individually in a folder and only download it if it has been updated?

My goal is to check every file in the folder and decide whether or not download it without explicitly knowing what the file is. (So I can add and remove files from the folder if needed) That's why I was straying away from explicit share links.

Re: Is linking necessary to download files?

Greg-DB
Dropboxer

No problem. To elaborate a bit on the security concerns, note that client-side applications can't keep secrets, meaning that any access token stored in a distributed app could be extracted directly, or sniffed in transit. That means that a malicious user could get the access token, and use it to access the Dropbox API directly, bypassing any access controls your app attempted to enforce. They could even replace the files with other data, or revoke the access token entirely, breaking the integration for all of your users.

Anyway, I can't speak to any concerns with getting your app on the App Store. You'd have to refer to Apple for that.

Using the API would certainly be a useful way to download files and watch for when they change. As an alternative, you could use the etag header value returned on shared links, but that's not officially documented.

Re: Is linking necessary to download files?

Ghulam A.
New member | Level 1

Do you know of any way to encrypt the access key that would fit the way I'm using it?

Re: Is linking necessary to download files?

Greg-DB
Dropboxer

There are any number of ways obfuscate or encrypt it, but it's impossible to actually protect a secret in a client-side application. (E.g., if you encrypt it, the encryption key eventually needs to be on the device too, and so can be similarly stolen, etc.) No matter what, an attacker could extract the secret from the app. Or, even if the access token is encrypted at rest, they could just perform a man in the middle attack and pull the access token out as it goes over the network when making actual API calls.

Re: Is linking necessary to download files?

Ghulam A.
New member | Level 1

Okay, I'll figure that out. I know how to get my access token. How do I retrieve my access token secret or is it just the app secret?

Re: Is linking necessary to download files?

Ghulam A.
New member | Level 1

Also where can I find my user id?

Re: Is linking necessary to download files?

Greg-DB
Dropboxer

The access token secret is not the same thing as the app secret.

If you're using OAuth 1, the access token secret is the "oauth_token_secret" returned by /oauth/access_token.

If you're using OAuth 2, the access token is just one string, and doesn't have a separate "secret" portion.

Re: Is linking necessary to download files?

Greg-DB
Dropboxer

You can get your user ID from the account information API call (/account/info on v1, or /users/get_current_account on v2).

Who's talking

Top contributors to this post

  • User avatar
    Ghulam A. New member | Level 1
  • User avatar
    Greg-DB Dropboxer
What do Dropbox user levels mean?
Need more support?