Authentication types

When making API calls to the Dropbox API, each request requires a certain level of authentication. If you're using an official Dropbox SDK, it will handle these specifics for you. If you're using the HTTP endpoints however, you'll need to implement the right authentication type for each endpoint. The documentation for each endpoint indicates which type is used, which will be one of the following:

User Authentication

This is the most common authentication type. This type uses an access token for a specific user and app pair, in order to operate on that user's account, to the extent allowed by that app's permission.

Example:

curl -X POST "https://api.dropboxapi.com/2/users/get_current_account" \
    --header "Authorization: Bearer <OAUTH2_ACCESS_TOKEN>"

Team Authentication

This type uses an access token for a specific team and app pair, in order to operate on that team (or a member of the team), to the extent allowed by that app's permission.

Example:

curl -X POST "https://api.dropboxapi.com/2/team/get_info" \
    --header "Authorization: Bearer <OAUTH2_ACCESS_TOKEN>"

App Authentication

This type only uses the app's own app key and secret, and doesn't identify a specific user or team. The app key and secret are transmitted in place of a username and password using "HTTP basic access authentication".

Examples:

When supplying the app key and secret for App Authentication, the app key and secret are given in place of the HTTP username and password, respectively. This can be done either as separate strings, as shown in the first two examples below, or as an base64-encoded Basic authorization string in the Authorization header, as in the third example below.

curl -X POST "https://api.dropbox.com/1/metadata/link" -u "<APP_KEY>:<APP_SECRET>" \
    -d link="https://www.dropbox.com/sh/748f94925f0gesq/AAAMSoRJyhJFfkupnAU0wXuva?dl=0"
curl -X POST "https://<APP_KEY>:<APP_SECRET>@api.dropbox.com/1/metadata/link" \
    -d link="https://www.dropbox.com/sh/748f94925f0gesq/AAAMSoRJyhJFfkupnAU0wXuva?dl=0"
curl -X POST "https://api.dropbox.com/1/metadata/link" \
    --header "Authorization: Basic <base64(APP_KEY:APP_SECRET)>" \
    -d "link=https://www.dropbox.com/sh/748f94925f0gesq/AAAMSoRJyhJFfkupnAU0wXuva?dl=0"

To produce the encoded string in the last example, you would base64 encode the app key and app secret, separated by a :. For example, if your app key was aaaaaaaaaaaaaaa, and your app secret was bbbbbbbbbbbbbbb, you would base64 encode aaaaaaaaaaaaaaa:bbbbbbbbbbbbbbb, resulting in YWFhYWFhYWFhYWFhYWFhOmJiYmJiYmJiYmJiYmJiYg==.

No Authentication

A small number of API calls do not require authentication, as they require a specific parameter value previously provided by Dropbox, and return limited information.

Example:

curl -X POST "https://notify.dropboxapi.com/2/files/list_folder/longpoll" \
    --header "Content-Type: application/json" \
    --data "{\"cursor\": \"ZtkX9_EHj3x7PMkVuFIhwKYXEpwpLwyxp9vMKomUhllil9q7eWiAu\",\"timeout\": 30}"