nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Child Item

Access token and revoke

neunygph

To whom it may concer,

1. With the API version 2, will the api token get expired ever ?

2. Assuming I want to revoke the token by making a call to /auth/token/revoke. And then try to generate the token again, at this time, will be new token the same as the revoked one, or are they 2 different tokens ?

Thanks,

Find more posts tagged with

API

Abuse

Comments

Greg-DB

1. Access tokens for the Dropbox API, regardless of which version you're using, don't expire by themselves. Users and apps can explicitly revoke tokens though.

2. In this case, you'd get a new access token, not the old one.

neunygph

Hi Greg,

Since the token does not expired itself, is there a way or function from the api to validate the user to make sure the token will not be used by someone else, in case of browser hack or something like that ?

Greg-DB

I'm not sure I understand your question, can you elaborate?

In any case though, if you would want the access tokens to effectively expire, you can have your app explicitly revoke them on whatever schedule you want.

neunygph

Hi Greg,

Thanks for getting back to me and sorry for the late response. I understand the part that we need to have the token effectively expire and it is best to be stored on the app server, but for instance if I set the token to be a cookie and store on a user's browser and have it expires in 3 days, but somehow the token is exploited by accident and is being used by another different user before the token is expired. In another word, a token from user A is being used by user B (worse scenario). And if this happen, is there a way to validate this token when it's passed to the api to make sure the token belong to the correct user ?

Thanks

Greg-DB

Thanks for elaborating! No, the API doesn't offer anything quite like that. If the user has any reason to believe their browser and/or access tokens have been compromised though, they can revoke sessions and tokens on their account security page.

neunygph

Ah ok, thanks Greg.

kgashok

I did a "revoke" using the API explorer and tried to download a file, it came back and reported that
{
"error_summary": "invalid_access_token/...",
"error": {
".tag": "invalid_access_token"
}
}

However, I could still get access to the files inside my App folder by making API calls using the same access token. How is this possible?

Greg-DB

Hi kgashok, thanks for the report. I can't seem to reproduce this issue though. Are you sure you're using the same exact token? Revoking a token applies to that single token only, but any particular user-app pair can have multiple access tokens.

If it's definitely the same token, please open an API ticket with the all of the relevant requests/responses so we can look into it:

https://www.dropbox.com/developers/contact