Forum Discussion

Collaborator | Level 8

4 years ago

Oauth2 refresh token question - what happens when the refresh token expires?

I've been testing the Dropbox OAuth2 endpoints for a few days and I have read the documentation provided directly by Dropbox. However, it is not clear to me how I'm supposed to handle the acquisition...

API

Greg-DB
4 years ago
While Dropbox "short-lived access tokens" do expire automatically, "refresh tokens" do not. When your app gets a refresh token, it can use that to continuously get new short-lived access tokens whenever needed, without further manual user intervention. (The Python SDK actually does that for you automatically.)

So, since Dropbox refresh tokens do not expire automatically they can and should be re-used repeatedly. The app will not receive a new refresh token every time it requests a new short-lived access token. It should just store and continue re-using the same one.

They can be revoked manually though, either by the user (e.g., via https://www.dropbox.com/account/connected_apps ) or the app, at which point the app would need to prompt the user to re-authorize the app if they wish to use it again.

Greg-DB

Dropbox Staff

While Dropbox "short-lived access tokens" do expire automatically, "refresh tokens" do not. When your app gets a refresh token, it can use that to continuously get new short-lived access tokens whenever needed, without further manual user intervention. (The Python SDK actually does that for you automatically.)

So, since Dropbox refresh tokens do not expire automatically they can and should be re-used repeatedly. The app will not receive a new refresh token every time it requests a new short-lived access token. It should just store and continue re-using the same one.

They can be revoked manually though, either by the user (e.g., via https://www.dropbox.com/account/connected_apps ) or the app, at which point the app would need to prompt the user to re-authorize the app if they wish to use it again.

FrustratedUser3

Collaborator | Level 8

4 years ago

Thanks for the response. Just to be sure I'm understanding:

I need to store the refresh token from the original authentication call.
When the access token expires, the original refresh token can be used to generate a new access token.

Is that correct? Also, what happens if you lose the refresh token? It doesn't make a lot of sense to force the user to authenticate via URL a second time, but that's the only way I know how to get a new access token without a refresh token using any of the flows. Am I missing something or is that right?

About Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

5,877 PostsLatest Activity: 12 months ago

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!

Forum Discussion

Oauth2 refresh token question - what happens when the refresh token expires?

About Dropbox API Support & Feedback

Related Content

Questions about uploading files when promotional space is expiring

Refresh token expiration

Do Refresh token expire

Refresh Token Url

API access token expired

Recent Discussions

get_shared_link_metadata API problem with the new '/scl' folder links.

Trying to download a file, but no file is being downloaded.

Dropbox internal error occured - Resolution

How to add the entire team to team folder by api

API Upload .HEIC and convert to JPG