I need to upload a series of 4 files each day to a Dropbox account from my platform, using the Dropbox API.
These files are to be read by an external company. The external company has a Dropbox account and my own company also has a separate Dropbox account.
My question is about security. If we get an OAuth access token for the Dropbox of the external company, is is possible to limit the ability of our platform to upload to only a single folder in their Dropbox? If the access can only be to the entire Dropbox rather than just a single folder, I would imagine that they will have security concerns in case something goes wrong with the upload script. In other words, they wouldn't want us to have unrestricted rights on everything in their Dropbox - just those required to upload to the single folder.
Another way of doing this would be to create a shared folder on my company's Dropbox account which we then share with the external company. Then I assume that I just need an OAuth key for our own account under the API. Would this be the recommended way of doing things?
If you only need to upload the files to a single folder via the API and don't need to otherwise share the folder with others via Dropbox, the best thing to do here would be to register an app for the "app folder" permission. Access tokens for apps with this permission can only access the special "app folder" created for the app in the connected account. This can't be set to a pre-existing folder though, nor can the special app folder be made into a shared folder, or contain or be contained in a shared folder.
Otherwise, the Dropbox API unfortunately doesn't offer a way to register an app or access token for access to a specific existing folder only unfortunately.
You could use a shared folder and connect a full Dropbox app to your own account though, as you described, but if an app folder setup would suffice, that would be safer.