A little bit of googling makes it seem like auth tokens are not sent it plaintext over HTTPS but are authenticated using challenge response – http://forums.dropbox.com/topic.php?id=47952 The WWW site may differ.
Obviously that would work, but not if you're using Challenge-response authentication. In general, I don't think people bother with now that when using https.