I have generated (manually through the web UI) multiple access tokens during testing, and all seem valid. I have probably also generated some and not actually noted them down anywhere.
How do I: a) list access tokens b) remove/revoke unneeded access tokens
I have looked here: www.dropbox.com/account/security and I can see my app listed, but there is no mention of access tokens. I do not want to remove the entire app, just some of the access tokens for it.
The app in question has "App folder" access, which means that it can only access one particular folder (and children).
Note: When I say "all seem valid" - I mean that each token can successfully be used to perform actions on the specific app folder at play.
As per the Dropbox forum:
a) The Dropbox web site/API don't offer a way to list individual access tokens.
b) There are several ways to revoke access tokens.
The user can revoke all access tokens for an app via the account security page by clicking the 'x' at the right of the app's row. This will revoke all access tokens for that app-user pair though, and doesn't offer a way to revoke specific/individual ones.
If the app uses the "app folder" permission, the user can delete the app folder itself, which will cause any further API calls for that app-user pair to fail.
The app can revoke individual access tokens using the /2/auth/token/revoke API endpoint. That will revoke only the individual access token used to make the call itself. You can use it multiple times to revoke any/all access tokens you have.