You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
Ghulam A.
9 years agoNew member | Level 1
Is linking necessary to download files?
Is it possible to download files from my app folder (Dropbox) to my app without linking an account? If so, how would I do that?
- Greg-DBDropbox Staff
[Cross-linking for reference: https://stackoverflow.com/questions/34603685/how-to-download-files-to-app-from-app-folder-without-linking-an-account-via-drop ]
Based on the additional information you posted in your StackOverflow question, it sounds like you just want your app to connect to your own Dropbox account, as opposed to the accounts of your end-users.
The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. However, it is technically possible to connect to just one account. The SDKs don't offer explicit support for it and we don't recommend doing so, for various technical and security reasons.
However if you did want to go this route, instead of kicking off the authorization flow, you would use an existing access token for your account and app. (Just be careful not to revoke it, e.g. via https://www.dropbox.com/account/security .) Also, note that while embedding an access token isn't great, you definitely shouldn't embed your username and password.
For reference, here are some other similar questions on StackOverflow where I've posted answers:
https://stackoverflow.com/questions/15014001/allow-dropbox-api-to-access-my-account-on-users-device
https://stackoverflow.com/questions/27834922/auto-login-dropbox-account-on-core-api-without-login-prompt - Ghulam A.New member | Level 1
Thank you so much! I looked through your previous answers and I think I got it. I'll try implementing it when I get home. I saw that you cited security concerns. I would of course only be downloading non-personal PDFs and Word documents. (Informational packets and forms)
There wouldn't be any problem getting my app approved to the App Store would there? Also, are there any alternate solutions that would allow me to check each file individually in a folder and only download it if it has been updated?
My goal is to check every file in the folder and decide whether or not download it without explicitly knowing what the file is. (So I can add and remove files from the folder if needed) That's why I was straying away from explicit share links.
- Greg-DBDropbox Staff
No problem. To elaborate a bit on the security concerns, note that client-side applications can't keep secrets, meaning that any access token stored in a distributed app could be extracted directly, or sniffed in transit. That means that a malicious user could get the access token, and use it to access the Dropbox API directly, bypassing any access controls your app attempted to enforce. They could even replace the files with other data, or revoke the access token entirely, breaking the integration for all of your users.
Anyway, I can't speak to any concerns with getting your app on the App Store. You'd have to refer to Apple for that.
Using the API would certainly be a useful way to download files and watch for when they change. As an alternative, you could use the etag header value returned on shared links, but that's not officially documented.
- Ghulam A.New member | Level 1
Do you know of any way to encrypt the access key that would fit the way I'm using it?
- Greg-DBDropbox Staff
There are any number of ways obfuscate or encrypt it, but it's impossible to actually protect a secret in a client-side application. (E.g., if you encrypt it, the encryption key eventually needs to be on the device too, and so can be similarly stolen, etc.) No matter what, an attacker could extract the secret from the app. Or, even if the access token is encrypted at rest, they could just perform a man in the middle attack and pull the access token out as it goes over the network when making actual API calls.
- Ghulam A.New member | Level 1
Okay, I'll figure that out. I know how to get my access token. How do I retrieve my access token secret or is it just the app secret?
- Ghulam A.New member | Level 1
Also where can I find my user id?
- Greg-DBDropbox Staff
The access token secret is not the same thing as the app secret.
If you're using OAuth 1, the access token secret is the "oauth_token_secret" returned by /oauth/access_token.
If you're using OAuth 2, the access token is just one string, and doesn't have a separate "secret" portion.
- Greg-DBDropbox Staff
You can get your user ID from the account information API call (/account/info on v1, or /users/get_current_account on v2).
- Ghulam A.New member | Level 1
Can you explain how to use /oauth/access_token and /account/info and /users/get_current_account? I also don't know how to tell if I'm using Oauth 1 or 2 and V1 or V2. I apologize as I am somewhat new to all that.
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
5,880 PostsLatest Activity: 3 hours agoIf you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!