Box has two authentication models for authenticating your application and making requests to the REST APIs, standard OAuth 2 and OAuth 2 with JSON Web Tokens (JWT).
OAuth 2.0 is a protocol that allows your app to request a user's authorization to access content in his or her Box account. This authentication model follows the standard 3-legged OAuth 2.0 process and is designed to be used with Managed Users and External Users. This is the standard authentication mechanism for building Partner and Custom integrations with Box.
Sample authentication flow
Choose OAuth 2 as your authentication method if:
- You are only working with users that have existing Box accounts.
- You want your users to know that they are using Box when authenticating.
- You want all your content managed within the user's Box account and not in your application.
OAuth 2.0 with JSON Web Tokens allows for server-to-server interactions with the Box API. Instead of authenticating via a user, an application can authenticate directly to Box by generating a JSON Web Token (JWT) verified with an RSA keypair. This authentication replaces the first leg of the standard 3-legged OAuth process in which a user grants an application permission to access the user’s Box account, removing the friction of multiple logins and services for your users. The JWT auth process is designed to be used with Box Platform and App Users.
In the standard Box integration, applications integrate directly with pre-existing Box accounts, granting access to user-specific content; however, these accounts remain owned by the end-user and their associated enterprise. With App Auth and App Users, developers have access to all of the functionality of Box’s Content API while also owning the user authentication, user accounts, and content associated with their application.
Choose OAuth 2 with JWT as your authentication method if:
- Your users don't have a Box account or credentials.
- You do not want your users to log into Box, or necessarily know that they are using Box, in order to authenticate.
- You want all content managed within the application and not in the user's Box account.
- You want to use your own identity system to authenticate your users.
The following chart compares the uses and capabilities of each authentication model.
User is redirected to Box to login and authenticate app.
Direct server to server authentication.
Allows Alternate Authentication System?
Where is Content Stored?
Within the user's Box account.
Within the application service account or within the app user account.
- JWT Application Setup: Set up and configure a new JWT application.
- OAuth Application Setup: Set up and configure a new OAuth application.