You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.

Forum Discussion

tkirby926's avatar
tkirby926
Explorer | Level 3
2 years ago

Allowing Website users to Dynamically create auth tokens and upload/download images

I am searching for a way to implement Dropbox as the data folder for images on my social media site, with api calls made client-side to upload and download images that populate the site. Considering the process for requesting for auth access involving an access url and a manual redirect to that url, which then populates the access token field, I was wondering if there was a way for my users to receive the auth token returned in one (or a few) api call(s), which would then be used to make uploads/downloads. I am looking to automate this so my users can, in one swift motion, update and pull photos related to their id in my Dropbox folder. What would be the best way to go about this? Is there a way I can remove this authentication altogether and allow all fetch requests from my domain to make everything easier? Thanks in advance for the help.

  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Staff rankDropbox Staff

    tkirby926 Здравко is correct. The Dropbox API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. While it is technically possible to always connect to just one account for all users, we do not officially support this, for various technical and security reasons. For instance, you could use a refresh token to maintain long-term access without repeated manual user interaction, but you shouldn't expose the token(s) for your own account to other users.

    • tkirby926's avatar
      tkirby926
      Explorer | Level 3

      Thank you very much for your help on this. Looking back, I cannot believe I even asked this question based on the numerous security flaws involved. My plan is to authenticate and upload/download on the server side. For my python backend, I still have the question of how to do this. I may not be understanding everything right, and I apologize for the inconvenience if this is the case, but my understanding is still that the way to receive an authorization code is through clicking the authorization url and manually getting it. I was wondering if there was a way my server code could receive that auth token directly using the python SDK and use it to upload/download, refreshing the code regularly so it does not get stale. I don't see any good solution that would involve clicking the url every 4 hours in my automated app, and it seems foolish to try to implement a bot that would regularly click the link itself and extract the code. Would you suggest having an initial token and then using a refresh token to maintain access on my server? Please let me know the best way to do this, and thank you so much for the help.

  • Здравко's avatar
    Здравко
    Legendary | Level 20

    tkirby926 wrote:

    ..., with api calls made client-side to upload and download images that populate the site. ...


    Hi tkirby926,

    Such a intend is never good idea. Client side authentication of calls is possible - just send refreshed access token every time particular page need to do some interactions using Dropbox API. Such a solution is pretty insecure though! You let every user access to your account and in same context full access to all other users content. Better consider server side authentication and communication to Dropbox as result of client actions - request to your server. In such a way you have full control what's going on and give to all users access that they need only - no more.

About Dropbox API Support & Feedback

Node avatar for Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

5,888 PostsLatest Activity: 24 hours ago
326 Following

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!