Search the Dropbox Watchdog archive
Category
Killed APIs, breaking changes, OAuth and rate-limit churn, and a third-party ecosystem repeatedly left to break.
Dropbox built much of its early reach on a developer platform and a sprawling ecosystem of third-party apps that synced to users' folders. This section documents how that platform has been managed — often to the detriment of the developers and integrations that depended on it: the retirement of the original Sync and Core APIs and the hard shut-off of API v1, which broke long-standing third-party apps; painful migrations to API v2 with reduced functionality; changes to OAuth scopes and permissions; rate limits and quota changes that throttled integrations; the deprecation of platform features and SDKs; and the knock-on effects of corporate moves such as the macOS kernel-extension deprecation and the HelloSign/Dropbox Sign breach on everyone building on top of Dropbox. The pattern is a platform that developers were encouraged to adopt and then repeatedly forced to scramble around.
Because some official Dropbox SDKs pinned root certificates, Dropbox's switch to a new certificate root starting 1 January 2026 means apps on the Java, .NET, or Python SDK must upgrade to specific minimum versions or lose access to the API.
Dash connects to Google Workspace, Microsoft 365, Slack, Notion and more, and routes queries through large language models — leaving users to trust Dropbox's contractual assurances that connected and indexed data is not used to train third-party AI models.
A tracked vulnerability in the Dropbox desktop application for Windows could strip the 'Mark of the Web' flag from synced files, weakening a key warning that protects users from running downloaded, untrusted content.
The HelloSign API was rebranded to the Dropbox Sign API in 2022, and after the 2024 Dropbox Sign breach the company rotated API keys and OAuth tokens — meaning developers who had embedded e-signature functionality had to update credentials and re-establish connections, not just rename a product.
Dropbox rebranded HelloSign — the e-signature company it acquired in 2019 — as 'Dropbox Sign' in 2023, absorbing its identity into the Dropbox brand a year before the product suffered a major breach.
After nearly four years of litigation, a Texas jury found Dropbox did not infringe four file-sharing patents asserted by Motion Offense LLC, defeating a roughly $35 million damages demand — part of a wider patent fight Dropbox largely won.
A new Dropbox app starts in development status capped at 500 linked users, and once it reaches 50 users the developer has just two weeks to apply for and receive production approval — otherwise the app is frozen and cannot link any new users.
Dropbox enforces rate limits it does not publish, returning HTTP 429 errors — including a separate too_many_write_operations limit triggered by parallel writes to the same folder — that can throttle backup tools and bulk integrations without warning.
Apple's deprecation of kernel extensions forced Dropbox to rebuild its macOS sync on Apple's File Provider framework; macOS 12.3 (2022) removed the kext support Dropbox's online-only files relied on, changing behavior and temporarily breaking how third-party apps opened online-only files.
Many third-party integrations request broad, full-Dropbox access rather than scoped, folder-limited permissions — so a single connected app, if compromised, can expose everything in an account.
Dropbox's API lets connected third-party apps request 'Full Dropbox' access to a user's entire account, and broad OAuth scopes mean an app users link for one task can often read far more than they expect.
On 30 September 2021 Dropbox stopped issuing the never-expiring access tokens many integrations relied on, switching to short-lived tokens plus refresh tokens — backups, scripts, and self-hosted tools that hard-coded a static token broke unless rewritten.
Dropbox replaced its coarse legacy access types with granular OAuth scopes, requiring every developer to revisit their app's permissions in the developer console and, in many cases, have existing users re-authorize before new functionality would work.
Dropbox's OAuth model historically let third-party apps request full account access, and tokens persist until revoked — so a single over-permissioned or compromised integration can read, write or delete a user's entire Dropbox without any further prompt.
Dropbox's 'Drop-ins' — the Chooser and Saver widgets that let any app use Dropbox as an open/save dialog — launched in 2013 with fanfare, but the iOS and Android Choosers were later deprecated and the program stagnated as Dropbox steered its platform away from third-party developers toward its own collaboration features.
Dropbox announced that from November 2018 its Linux client would sync only on unencrypted ext4, abruptly breaking sync for users on XFS, Btrfs, ZFS, and encrypted volumes — including encrypted ext4.
Dropbox's move from the v1 Core API to API v2 was not a drop-in upgrade: error handling, authentication, permissions, and request formats all changed, forcing developers to rewrite integrations before v1 was switched off in 2017.
In April 2015 Dropbox announced it would retire the Sync API and the Datastore API, giving developers about a year to rewrite onto the Core API — apps that did not migrate stopped working when the Datastore API was shut down on 29 April 2016.