Refreshing short live tokens without Consumer Key and Consumer Secrect

Question

Dear all,

we are updating our code in order to support refresh token. We need backgroud renewal of the token.

We are using the JAVA version of the API.

It seems that in order to update the token (to refresh the short lived token) it is mandatory to store in the code the following secret information (Consumer Key and Consumer Secrect):

ApiKey and ApiSecret

DbxRequestConfig requests ApiKey and ApiSecret in order to refresh the token.

https://dropbox.github.io/dropbox-sdk-java/api-docs/v3.1.x/com/dropbox/core/oauth/DbxCredential.html

Is there another solution that avoids to write the Consumer Key and Consumer Secrect within the code?

Thanks to all

Greg-DB · Accepted Answer

Yes, you can use the "PKCE" flow to process "offline" access without having the app secret. You can find an example of running this with the Java SDK here:

https://github.com/dropbox/dropbox-sdk-java/blob/master/examples/authorize/src/main/java/com/dropbox/core/examples/authorize/PkceAuthorize.java