How to Create Dropbox App Key, App Secret, and Refresh Token Print

This article explains how to create a Dropbox App Key, App Secret, and a Refresh Token for use with the hTech OS Backup WHMCS addon module.

Dropbox no longer recommends long-lived access tokens. Instead, applications should use short-lived access tokens with refresh tokens, which is the method described below.

Requirements

• A Dropbox account
• Access to the Dropbox Developer Console
• Ability to create OAuth 2 apps

Step 1: Create a Dropbox App

1. Go to the Dropbox App Console:
   https://www.dropbox.com/developers/apps
2. Click Create app.
3. Select Scoped access.
4. Choose access type:
   • App folder (recommended)
   • Full Dropbox (only if required)
5. Enter an app name, for example:
   htech-whmcs-backups
6. Click Create app.

Step 2: Configure App Permissions

1. Open your app and go to the Permissions tab.
2. Enable the following scopes:

• files.content.write
• files.content.read
• files.metadata.read

Click Submit to save permissions.

Step 3: Enable Refresh Tokens

1. Go to the Settings tab.
2. Scroll to the OAuth 2 section.
3. Ensure Short-lived access tokens are enabled.
4. Ensure Allow refresh tokens is enabled.

Step 4: Get App Key and App Secret

In the Settings tab:

• Copy the App key
• Copy the App secret

These values will be used by the hTech OS Backup module.

Step 5: Generate an Authorization Code

You must authorize your Dropbox app once to obtain a refresh token.

Replace the values below and paste the URL into your browser:

https://www.dropbox.com/oauth2/authorize
?client_id=APP_KEY_HERE
&response_type=code
&token_access_type=offline

After approving access, Dropbox will redirect to a URL similar to:

https://localhost/?code=AUTHORIZATION_CODE_HERE

Copy the value of the code parameter.

Step 6: Exchange Authorization Code for Refresh Token

Use the following curl command (or Postman):

curl https://api.dropboxapi.com/oauth2/token \
  -d code=AUTHORIZATION_CODE_HERE \
  -d grant_type=authorization_code \
  -d client_id=APP_KEY_HERE \
  -d client_secret=APP_SECRET_HERE

The response will look like:

{
  "access_token": "sl.ABC123...",
  "token_type": "bearer",
  "expires_in": 14400,
  "refresh_token": "REFRESH_TOKEN_HERE",
  "scope": "files.content.read files.content.write files.metadata.read",
  "uid": "123456789",
  "account_id": "dbid:..."
}

Step 7: Configure the hTech OS Backup Module

In WHMCS Admin:

1. Go to Admin → Addons → hTech OS Backup → Settings
2. Set Provider to Dropbox
3. Enter:
   • App Key
   • App Secret
   • Refresh Token
4. Save changes.

The module will automatically request new access tokens using the refresh token.

Testing

1. Run a manual backup.
2. Confirm the backup uploads to Dropbox.
3. No further authorization is required unless the token is revoked.

Troubleshooting

No Refresh Token Returned

• Ensure token_access_type=offline was included.
• Ensure short-lived tokens are enabled in app settings.
• Re-run the authorization flow.

Invalid Client Error

• Verify App Key and App Secret are correct.
• Ensure the app was not deleted or reset.

Access Denied

• Confirm permissions were submitted.
• Re-authorize the app.

Security Notes

• Never expose your App Secret publicly.
• Store tokens securely in WHMCS.
• Revoke tokens immediately if compromised.