Now Available: Scoped apps and enhanced permissions

// By API Platform Team • Aug 11, 2020


We’re excited to announce several new features when authorizing apps with the Dropbox API. We use OAuth 2.0 for authorization—and today we’re adding support for scopes, PKCE, and refresh tokens to make it even easier to select the right auth model and permission level for your app.


Scopes enable you to request specific permissions, groups of API calls, from the user at authorization time. Previously, our API had app ‘types’ with fixed access to calls. Now each API call is part of a scope, allowing you to request more granular, minimal access. With scopes, you may also request more permissions from the end user at a later time, only if and when they are needed.

For example, your application may only need to verify user identity initially, then request file view, editing, or sharing permissions at a later time. This is now possible with scopes!

Authorization screens compared with different levels of scopes selected
Authorization pages with different requested scopes

With scopes, you can even ask for team permissions later. You no longer have to build separate apps to support the User API and the Business API.

Apps built with scopes have new OAuth screens for communicating these permissions to end users.


As part of this update, we’re also providing support for PKCE. PKCE is an extension to the OAuth protocol that enables dynamic client secrets, designed for public clients that cannot guarantee safety of the client secret. PKCE is an improvement over the older implicit grant for these types of applications.

If you’re building a desktop, mobile, single-page Javascript, open source, or any app being deployed to infrastructure you’re not managing, be sure to leverage this approach.

Refresh Tokens

Finally, we’ve also added support for refresh tokens. Using short lived access tokens with refresh tokens provides an additional level of security over longer-lived access tokens. Apps that require background access should be sure to use these.

Using refresh tokens requires some additional code—but we’ve updated our SDKs to make this easy.


If you’ve already built (or are in the process of building) a Dropbox app, don’t worry. There is no change to existing apps, and you don’t need to immediately migrate. Our legacy app and token types are still selectable in the developer console for the time being. We’ll eventually retire these legacy types, but will provide ample notice and time for existing apps.

Existing apps may choose to migrate their permissions to scopes in the App Console, or to incorporate PKCE and/or refresh tokens now. Stay tuned for more migration guides and examples on the web.

Getting Started

To get started, check out our updated OAuth Guide.

Questions about the new features? Please the discussion on our forum. If you need more direct help, you can contact us here.

Build with Dropbox today at

// Copy link