4 Ways to Monitor User Activity in Dropbox
When a team runs on Dropbox, every file move, share, and delete matters. As an admin, you need to see those footprints quickly so you can spot risky behavior and prove compliance.
Luckily, Dropbox offers several built-in tools and a few external options that surface real-time activity data. This guide walks you through four reliable methods, outlining what each one shows, when to use it, and how to get started.
Table of Contents
Use Dropbox’s UI
Use the Dropbox admin console to watch user activity in real time or pull full reports.
Step 1: Open the Admin console
- Sign in at dropbox.com using an account that already carries admin rights; without that permission, the console stays hidden.
- After signing in, click your avatar in the top-right corner of the page to expose more options.
- From the dropdown that appears, choose Admin console to open the management dashboard in a fresh tab.
Step 2: Go to the Activity tab
- In the left sidebar, pick Activity to see events organized by time and categorized for quicker scanning.
- A timeline of every tracked action such as sign-ins, file edits, shares, and deletions appears automatically.
Step 3: Filter for the details you need
- In the search bar at the top, start typing a team member’s name or email address; the list narrows with each letter.
- Use the date range pickers to target a specific period that matches your audit window.
- Click Event type, then choose one or more actions, for example File download or Password change.
Step 4: Inspect a single event
- Click any row in the timeline to open a side panel with the exact time, file path, user name, IP address, and device details.
- Scan the details carefully, confirming they line up with internal records before moving on to the next entry.
- Once finished, close the panel so the main timeline comes back into full view for continued monitoring.
Step 5: Export a full report
- While you remain on the Activity page, click Export in the upper-right corner to begin building your report.
- When prompted, pick CSV, set the date range, and confirm to launch the export job.
- Dropbox assembles the file in the background and emails you a link when it is ready, though very large reports can take several minutes.
Step 6: Return for ongoing checks
- Return to the Activity tab anytime you need a quick snapshot of team behavior or proof for an ongoing investigation.
- Repeat the same filters and exports whenever policy reviews, external audits, or incident responses call for fresh data.
Use Torii
Skip the Dropbox admin panel and try Torii, a SaaS management platform that tracks Dropbox usage in real time. SMPs pull every cloud subscription into one dashboard, creating a single record of what you own, spend, and renew.
Getting Dropbox data into Torii takes just a few minutes.
1. Sign up for Torii
Contact Torii and request a free 14-day proof-of-concept.
2. Link your Dropbox tenant to Torii
Once your Torii environment is live, connect your existing Dropbox account. Follow the official directions for the Dropbox connector here.
3. Find Dropbox in the Torii dashboard
Use the search bar at the top of Torii, type “Dropbox,” and open the Dropbox page. There you’ll find license counts, total spend, upcoming renewal dates, and other key metrics.
Or, chat with Eko
You can pull detailed Dropbox stats without ever leaving Torii. Click the Eko bubble at the lower-right of your dashboard, then ask something like “Show Dropbox details.” Eko posts the answer directly in the chat pane.
Use Dropbox’s API
Here, you’ll pull audit logs straight from Dropbox so you can see who did what and when, without any dashboard clicking.
1. Create an app with the right scopes
- Sign in as a team admin and open the Dropbox App Console.
- Choose “Scoped access,” select “Team member file access,” then enable these scopes:
team_info.read,events.read. - Generate an access token. Copy it somewhere safe; you’ll need it for the next call.
2. Build the first request
The audit endpoint lives at https://api.dropboxapi.com/2/team_log/get_events.
Send a POST with your token in the header; Dropbox rejects calls that miss it immediately.
curl -X POST https://api.dropboxapi.com/2/team_log/get_events \
--header "Authorization: Bearer YOUR_ACCESS_TOKEN" \
--header "Content-Type: application/json" \
--data '{
"limit": 1000,
"time": {
".tag": "relative",
"range": "30d"
}
}'
Here’s what each field in the JSON body controls:
limitsets how many events you grab at once, up to 1000.time.rangeasks for the last 30 days; swap in"7d"or"1d"to tighten the window.
3. Handle the response
Dropbox sends back a JSON object with three keys you should note:
events: an array of actions such as file edits, logins, shares, and more.cursor: a string for pulling the next batch.has_more: true when additional data is waiting.
Keep the cursor handy until has_more finally flips to false.
4. Page through the log
When has_more comes back true, send a request to team_log/get_events/continue.
curl -X POST https://api.dropboxapi.com/2/team_log/get_events/continue \
--header "Authorization: Bearer YOUR_ACCESS_TOKEN" \
--header "Content-Type: application/json" \
--data "{\"cursor\": \"CURSOR_FROM_LAST_CALL\"}"
Keep looping until the API explicitly says you’re done processing. A lightweight while loop in your preferred language works fine.
5. Filter the events you care about
Every event arrives with a .tag value, for example file_addition or login_success.
Skip events you don’t need or route them to other tables. A simple check:
for event in events:
if event['event_type']['.tag'] in ['member_invite', 'file_delete']:
alert_queue.append(event)
6. Store or alert
- Push raw JSON into a log store (CloudWatch, Splunk, or even plain S3) for history.
- Fire alerts when high-risk actions show up: mass deletes, password changes, admin role grants.
7. Schedule regular pulls
Remember that access tokens expire after only four hours each. Refresh them or rotate tokens daily. Run the job every 5 to 10 minutes for near real time insight without hammering Dropbox’s rate limits (1,000 calls per app per hour).
8. Keep the app healthy
- Catch HTTP 429 responses and back off with exponential delay; double the wait time until ten minutes if needed.
- Audit your own logs so you know the script isn’t dropping events during deploys or outages.
- Review scopes each quarter and remove any your script no longer needs.
With these calls in place, you’ll have a steady feed of user activity ready for dashboards, alerts, or compliance reports.
Use Claude (via MCP)
You can pull the same data inside Claude by turning on the Model Context Protocol (MCP). Link Claude to your Torii instance and ask about Dropbox usage in plain language.
To watch Dropbox activity without leaving Claude, follow the steps below:
1. Set up Torii
Repeat the Torii connection process above so Torii links to your Dropbox workspace.
Once connected, head to Settings and create a fresh API key.
2. Configure MCP for Claude
Use the official Torii MCP guide alongside this blog article for reference.
Install the Claude Desktop application, then add the snippet below to your claude_desktop_config.json file:
{
"mcpServers": {
"Torii MCP": {
"command": "env",
"args": [
"TORII_API_KEY=YOUR_API_KEY",
"npx",
"@toriihq/torii-mcp"
]
}
}
}
Remember: the value for YOUR_API_KEY is the key you just made in Torii’s Settings.
3. Start chatting
Open a conversation with Claude and query your Torii environment. You can ask for a rundown on your Dropbox plan: number of seats, total spend, next renewal date, and any other metrics you care about.
Torii for SaaS Management
SaaS Management has its challenges, and Torii is ready to simplify them. From discovery to renewal, we’ve built practical tools for teams who’d rather fix problems than wrestle with spreadsheets. Torii’s SaaS Management Platform lets you:
- Uncover shadow apps: Automated monitoring scans your environment and flags unsanctioned tools as soon as they appear.
- Slash expenses: Cut down on costs by retiring idle licenses and consolidating overlapping software.
- Automate onboarding/offboarding: Hand off repetitive IT tasks, such as user provisioning and deprovisioning, to reliable workflows that save time and prevent mistakes.
- Never miss a renewal: Proactive alerts remind you of upcoming contract deadlines so you can negotiate on your terms.
Torii is the market’s first comprehensive SaaS Management Platform, giving Finance, IT, and Security one authoritative source of truth.
Learn how other organizations tame SaaS sprawl by visiting Torii for real-world stories and a quick demo.
Frequently Asked Questions
Sign in as an admin, open the Admin console, pick Activity, filter by member, date, or event type, click any row for full metadata, and hit Export to save a CSV. Repeat regularly for investigations or audits.
Use the search bar to narrow results by teammate name or email, set a precise date range that matches your audit window, and select specific event types such as File download or Password change. Combining filters trims noise and surfaces only relevant actions.
After linking your tenant, Torii displays license counts, active users, total spend, renewal dates, and usage trends in a single dashboard. You can also query Eko chat for seat details or potential savings without opening the Dropbox admin panel.
Create a scoped app with team_info.read and events.read, generate an access token, then POST to /2/team_log/get_events with a limit and time range. Paginate with the cursor endpoint until has_more is false, store JSON, and alert on risky tags.
Dropbox tokens expire every four hours and the rate limit allows 1,000 calls per hour. Polling every 5–10 minutes strikes a balance, delivering near-real-time visibility while keeping well beneath throttle thresholds and minimizing the chance of missed events.
First link Dropbox to Torii and create a fresh API key. In Claude Desktop, add a Torii MCP entry to clauded_desktop_config.json that passes TORII_API_KEY and runs the @toriihq/torii-mcp package. Restart Claude, then ask it questions about Dropbox usage.
