How to create not expires token in Dropbox API v2?

Question

As the title says, after the recent revision of the Dropbox API, the Token started to have an expiration time..

In the past, if I did not revoke, the Token could be used permanently. Maybe the expiration time is added for security reasons.

However, this is very inconvenient for my application. I will need to upload files for a very long time (maybe for more than a month at a time).

According to the current API, I can only refresh the token repeatedly to keep the token no expires...

Does anyone know if there is still a way to create a set of tokens that will not expire in the current Dropbox API?

Answer 1

I've created a GitHub repo for this which handles this problem. https://github.com/FranklinThaker/Dropbox-API-Uninterrupted-Access

let me know if I'm missing something or something needs to be fixed in this repo. Thanks.

I've followed the official steps from here: https://www.dropbox.com/developers/documentation/http/documentation

Answer 2

Here is all you need to do to get the refresh token, code snippets are in C#

Step 1: Visit the following URL and finish the steps. in the final step, you should see the Access Code Generated printed on the screen, copy the code.

https://www.dropbox.com/oauth2/authorize?client_id=YOUR_APP_KEY&response_type=code&token_access_type=offline

Step 2: Get the refresh token using the following code: (NOTE: you'll only need to do it once)

using (var httpClient = new HttpClient())
{
    using (var request = new HttpRequestMessage(new HttpMethod("POST"), "https://api.dropbox.com/oauth2/token"))
    {
        var base64authorization = Convert.ToBase64String(Encoding.ASCII.GetBytes("YOUR_APP_KEY:YOUR_APP_SECRET"));
        request.Headers.TryAddWithoutValidation("Authorization", $"Basic {base64authorization}"); 

        var contentList = new List<string>();
        contentList.Add("code=ACCESS_CODE_FROM_STEP_1");
        contentList.Add("grant_type=authorization_code");
        request.Content = new StringContent(string.Join("&", contentList));
        request.Content.Headers.ContentType = MediaTypeHeaderValue.Parse("application/x-www-form-urlencoded"); 

        var response = await httpClient.SendAsync(request);
        // process the response
    }
}

The response should be something like this:

{
    "uid": "XXXXXXXX",
    "access_token": "XXXXXXXX",
    "expires_in": 14400,
    "token_type": "bearer",
    "scope": "files.content.read files.content.write",
    "refresh_token": "XXXXXXXX",
    "account_id": "dbid:XXXXXXXX"
}

You're looking for the refresh_token. you should securely store it

Step 3: Anytime you need a new access token, run the following code:

using (var httpClient = new HttpClient())
{
    using (var request = new HttpRequestMessage(new HttpMethod("POST"), $"https://api.dropbox.com/oauth2/token"))
    {
        var base64authorization = Convert.ToBase64String(Encoding.ASCII.GetBytes("YOUR_APP_KEY:YOUR_APP_SECRET"));
        request.Headers.TryAddWithoutValidation("Authorization", $"Basic {base64authorization}");

        var contentList = new List<string>();
        contentList.Add("refresh_token=REFRESH_TOEKN");
        contentList.Add("grant_type=refresh_token");
        request.Content = new StringContent(string.Join("&", contentList));
        request.Content.Headers.ContentType = MediaTypeHeaderValue.Parse("application/x-www-form-urlencoded");

        var res = httpClient.SendAsync(request).Result;
        // process the response
    }
}

The response should be something like this:

{
    "access_token": "XXXXXXXX",
    "token_type": "bearer",
    "expires_in": 14400
}

You're looking for the access_token. and also pay attention to expires_in value, you can and probably should store the access_token in some sort of memory cache in order to prevent requesting a new token on every API call.

---

Here is the curl for getting a new refresh token.

curl https://api.dropbox.com/oauth2/token -d grant_type=refresh_token -d refresh_token=<REFRESH_TOKEN> -u <APP_KEY>:<APP_SECRET>

Answer 3

Dropbox is in the process of switching to only issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.

Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. You can find more information in the OAuth Guide and authorization documentation.

For reference, while the creation of new long-lived access tokens is now deprecated, we don't currently have a plan to disable existing long-lived access tokens. (If that changes, we will of course announce that ahead of time.) That being the case, you can continue using existing long-lived access token(s) without interruption, if you have any. Also, note though that after the change you won't be able to create new long-lived access tokens.

While the change began on September 30th 2021, we're releasing it gradually, so you may not have seen your app(s) affected until now. Once it applies to your app, it would apply regardless of the "Access token expiration" setting for your app, and that setting may no longer be available for your app.