I’ve set up my app with Dropbox, and syncing functions as expected. Offering Dropbox and Google Drive storage options notes you must set up one or more OAuth2 redirect URIs, and that was straighforward.

Apps new to Dropbox must be set up as “Scoped App” and the docs don’t speak to that, or the additional Dropbox settings. I set “Allow public clients (Implicit Grant & PKCE)” to Allow, but is that necessary?

For Permissions, it seems obvious that an RS app will need files.content.read and files.content.write. I also checked files.metadata.write, but is that necessary?

For Scopes, I checked openid, but not profile or email.

I get this error in the console:
XHR POST https://api.dropboxapi.com/2/files/get_metadata [HTTP/2 409 Conflict 165ms]
and the response from Dropbox was
{"error_summary": "path/not_found/.", "error": {".tag": "path", "path": {".tag": "not_found"}}}

Should I change some setting?

They documentation might be written for an older version of the API—if you end up figuring it out it would be good to document this. But also the error seems to say ‘path not found’, so maybe check the requested path?

Relatedly, Dropbox has also shifted to “short-lived tokens” https://dropbox.tech/developers/migrating-app-permissions-and-access-tokens#updating-access-token-type which appear to last about four hours. For apps like Litewrite, which presumably are classified by Dropbox as “production”, it’s not too bad - every four hours you have to click a link to regain authorization.

But we’ll really need to add code to handle “refresh tokens” to regain the intended user experience.