I wonder how a user is signed in using the HTTP endpoints. The doc here suggests:
User Authentication:
curl -X POST "https://api.dropboxapi.com/2/users/get_current_account" \
--header "Authorization: Bearer <OAUTH2_ACCESS_TOKEN>"
But OAUTH2_ACCESS_TOKEN is supposed to be generated by the authentication server. How does the client obtain OAUTH2_ACCESS_TOKEN via HTTP endpoints?
The Dropbox OAuth 2 access token for the end-user should be retrieved by sending the user through the Dropbox OAuth 2 app authorization flow. The endpoints for this flow are documented here:
https://www.dropbox.com/developers/documentation/http/documentation#authorization
This blog post outlines the process:
https://blogs.dropbox.com/developers/2013/07/using-oauth-2-0-with-the-core-api/
(It was written for API v1, but the OAuth 2 flow works the same way for API v2.)
The OAuth guide may also serve as a useful reference: