Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
Hey,
I'm trying to figure out how the refresh token oauth2 process is working.
When I navigate to
https://www.dropbox.com/oauth2/authorize?client_id=<client_id>&token_access_type=offline&response_type=code
and grant premission I only get an oauth2 code but no refresh token. What am I doing wrong?
Do I have to enable something in the app center?
When you swap that code for an access token(https://api.dropbox.com/oauth2/token), the resulting payload will contain an access_token
and a refresh_token
, which can be stored and used to issue a new access token later.
Is this a newly created scoped app or an app that you're migrating? The OAuth Guide or blog post, Migrating App Permissions and Access Tokens, might be useful resources here.
In your app's settings there is an OAuth 2 section. Is the "Access token expiration" set to "Short-lived"?
Its a new scoped app and "Access token expiration" is set to "Short-lived".
When you swap that code for an access token(https://api.dropbox.com/oauth2/token), the resulting payload will contain an access_token
and a refresh_token
, which can be stored and used to issue a new access token later.
Hi! I have exactly the same problem. Can you please clarify what you mean by "swap"?
Where should I use the code (https://api.dropbox.com/oauth2/token)? curl? With any parameter/ID?
Can you please give me an easy procedure to follow, or an example? Thank you
@MarteIT By "swap", Taylor was referring to how the app sends the "authorization code" (which is received from the /oauth2/authorize OAuth step) in the request to the Dropbox /oauth2/token endpoint, and how the Dropbox API would send the access token and refresh token back in the response.
I recommend reading the OAuth Guide for an overview of how this process works. Then, refer to the authorization documentation for information on the specific endpoints and parameters to use, including examples of calling /oauth2/token using curl.
Hi Greg, thank you for your reply. I thought Taylor was referring to a somehow different procedure.
What you wrote was already clear to me and that's what I've been trying many times. The problem is that whenever I use the "authorization code" (which is received from the /oauth2/authorize OAuth step) and use it in the request to the Dropbox /oauth2/token endpoint, I get the following error:
{"error_description": "refresh token is malformed", "error": "invalid_grant"}
I'm just using the following command:
curl https://api.dropbox.com/oauth2/token -d grant_type=refresh_token -d refresh_token=["authorization code"] -u [xxxxxx]:[yyyyyyy]
Where am I wrong?
@MarteIT To exchange or "swap" the authorization code for an access token and refresh token you should use "grant_type=authorization_code", as shown in the "access token request in code flow" example (or "PKCE code flow token request" example, if using PKCE) in the /oauth2/token documentation.
Using "grant_type=refresh_token" is for when you would later use a refresh token to get a new short-lived access token.
Oh alright! I didn't get that. Honestly I find the documentation really misleading:
Example: refresh token request
curl https://api.dropbox.com/oauth2/token \ -d grant_type=refresh_token \ -d refresh_token=<REFRESH_TOKEN> \ -u <APP_KEY>:<APP_SECRET>
Anyway, now I used:
curl https://api.dropbox.com/oauth2/token -d code=[auth code] -d grant_type=authorization_code -d redirec...https://www.dropbox.com/1/oauth2/display_token -u [xxxxxx]:[yyyyyy]
and I got this error:
{"error_description": "redirect_uri mismatch", "error": "invalid_grant"}
I set the Redirect URIs --https://www.dropbox.com/1/oauth2/display_token--
as indicated in some of your previous replies. Still can't get it work. Any suggestion? Thank you.
@MarteIT The 'redirect_uri' value you supply to /oauth2/token, if any, should exactly match the 'redirect_uri' value supplied to /oauth2/authorize, if any, when that particular authorization code was retrieved. If they don't match, you'll get this error.
The https://www.dropbox.com/1/oauth2/display_token page is a basic page provided by Dropbox for use with the "token" flow (if the app doesn't have its own redirect URI to use and so instead needs to display the access token directly to the user), not the "code" flow as you're using here, so it probably doesn't make sense for your use case.
Hi there!
If you need more help you can view your support options (expected response time for a ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!