nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Child Item

API v2 access token validity

ralph86

Hi,

We're upgrading from v1 to v2 and the new oauth2 is still not clear to me.

On the API documentation pages it says that the code authorization flow gives you the access token (after you used the given code) and there is also told about a refresh token? That implies that the access code now has a expiration date? I hope not.

I thought that the access tokens (for use as authorization bearer) were valid until revoked by user?
So where are the refresh tokens for or are they optional? Can we just use the access tokens and use that until our customer revokes access? If not, how does the refresh tokens work? Please give some PHP / cURL examples if the refresh tokens are required.

Thank you in advance!

Find more posts tagged with

API

Abuse

Accepted answers

Greg-DB

The Dropbox API OAuth 2 implementation does not use refresh tokens. (Can you link to the part of the documentation that was confusing? We can look into clarifying it.)

Dropbox API OAuth 2 access tokens don't expire, but can be revoked at any time by the user or app.

Note that "authorization codes" are different, and do expire after a few minutes. They should only be used immediately once to get an access token.

All comments

Greg-DB

ralph86

Thanks, clear!

I don't know where the specific page is located (I just browsed the docs).

Another thing that isn't clear to me yet is the authorization page, the link differs in the doc.

This page says:
https://www.dropbox.com/1/oauth2/authorize?
Page: https://www.dropbox.com/developers/reference/oauth-guide

While this page says:
https://www.dropbox.com/oauth2/authorize

Page: https://www.dropbox.com/developers/documentation/http/documentation

What's the difference?

Thanks again!

Greg-DB

Those two are effectively the same. The first one was built with API v1, but we added another route without that part of the URL since it can be used for both API v1 and API v2. You should use the second one, without the /1/.

ralph86

Clear, thanks.