diff --git a/dropbox_api.gemspec b/dropbox_api.gemspec
index 09bf4abc..7f0f06bb 100644
--- a/dropbox_api.gemspec
+++ b/dropbox_api.gemspec
@@ -21,5 +21,5 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = '>= 2.3'
 
   spec.add_dependency 'faraday', '< 3.0'
-  spec.add_dependency 'oauth2', '~> 1.1'
+  spec.add_dependency 'oauth2', '~> 2.0'
 end
diff --git a/lib/dropbox_api/authenticator.rb b/lib/dropbox_api/authenticator.rb
index d2cf025a..80d6dce1 100644
--- a/lib/dropbox_api/authenticator.rb
+++ b/lib/dropbox_api/authenticator.rb
@@ -6,7 +6,11 @@ class Authenticator < OAuth2::Client
     def initialize(client_id, client_secret)
       super(client_id, client_secret, {
         authorize_url: 'https://www.dropbox.com/oauth2/authorize',
-        token_url: 'https://api.dropboxapi.com/oauth2/token'
+        token_url: 'https://api.dropboxapi.com/oauth2/token',
+        # oauth2 2.0 defaults `auth_scheme` to `:basic_auth`, sending the
+        # client credentials in the Authorization header. Dropbox expects them
+        # in the request body, which was the oauth2 1.x default behaviour.
+        auth_scheme: :request_body
       })
     end
   end