'Full Dropbox' OAuth: third-party apps that can read your entire account
2021 (scoped-access rollout)
Dropbox's API lets connected third-party apps request 'Full Dropbox' access to a user's entire account, and broad OAuth scopes mean an app users link for one task can often read far more than they expect.
What happened
Dropbox's developer platform offers apps two content-access levels: an isolated 'App folder,' or 'Full Dropbox,' which grants scoped access to the user's entire Dropbox. In 2020–2021 Dropbox migrated to granular OAuth scopes and short-lived tokens, and now reviews production apps to discourage unnecessarily broad permissions — improvements that acknowledge how much access apps had previously been granted.
The residual privacy issue is well documented in the OAuth ecosystem generally and applies to Dropbox: users routinely approve connection prompts without reading them, and a 'Full Dropbox' grant gives a third party persistent ability to read (and often write) across all of a user's files until the user manually revokes it in account settings. Because the granted token, not the user, then acts on the files, a compromised or careless integration can expose a user's documents without any further action by the user — a different privacy surface from Dropbox's own access, layered on top of it.
Impact
The model means a user's exposure is only as strong as the least-trustworthy app they have ever connected. 'Full Dropbox' grants and forgotten integrations create a long tail of third parties holding standing access to private files, and shift part of the privacy burden onto users to audit and revoke connections they no longer use.