2026 root-certificate change forces SDK upgrades or apps lose API access
Announced 2025 (effective 1 January 2026)
Because some official Dropbox SDKs pinned root certificates, Dropbox's switch to a new certificate root starting 1 January 2026 means apps on the Java, .NET, or Python SDK must upgrade to specific minimum versions or lose access to the API.
What happened
Several official Dropbox SDKs implemented certificate pinning against a built-in list of root certificates. Dropbox announced it would issue its API server certificates from a new root starting on or after 1 January 2026, because the existing root would stop being trusted by many browsers and devices during 2026. Any app pinning the old root would therefore fail to connect after the switch.
To stay connected, developers must upgrade to minimum versions: Java SDK v7.0.0 or later, .NET SDK v7.0.0 or later (if using certificate pinning via DropboxCertHelper.InitializeCertPinning()), and Python SDK v12.0.2 or later. The JavaScript, Objective-C, and Swift SDKs are unaffected, and third-party libraries have to be checked individually. Dropbox urged developers to update 'as soon as possible to ensure continued access,' warning that apps on older affected SDK versions would lose connectivity once the certificate transition occurred.
Impact
This is a hard cutoff: unlike a deprecated feature that degrades gracefully, an app that does not upgrade simply stops reaching the API after the root changes. It places another mandatory-maintenance burden on every team using the affected SDKs — including long-running, lightly maintained backend integrations most at risk of silently breaking — and continues the pattern of Dropbox platform changes that require active developer effort to avoid breakage.