Search results for "{{ search.query }}"

No results found for "{{search.query}}". 
View All Results

Picking an Auth Type

Box has two authentication models for authenticating your application and making requests to the REST APIs, standard OAuth 2 and OAuth 2 with JSON Web Tokens (JWT).

OAuth 2

OAuth 2.0 is a protocol that allows your app to request a user's authorization to access content in his or her Box account. This authentication model follows the standard 3-legged OAuth 2.0 process and is designed to be used with Managed Users and External Users. This is the standard authentication mechanism for building Partner and Custom integrations with Box.

When to Use

Choose OAuth 2 as your authentication method if:

  • You are only working with users that have existing Box accounts.
  • You want your users to know that they are using Box when authenticating.
  • You want all your content managed within the user's Box account and not in your application.

OAuth 2 with JWT

OAuth 2.0 with JSON Web Tokens allows for server-to-server interactions with the Box API. Instead of authenticating via a user, an application can authenticate directly to Box by generating a JSON Web Token (JWT) verified with an RSA keypair. This authentication replaces the first leg of the standard 3-legged OAuth process in which a user grants an application permission to access the user’s Box account, removing the friction of multiple logins and services for your users. The JWT auth process is designed to be used with Box Platform and Application Users.

When to Use

Choose OAuth 2 with JWT as your authentication method if:

  • Your users don't have a Box account or credentials.
  • You do not want your users to log into Box, or necessarily know that they are using Box, in order to authenticate.
  • You want all content managed within the application and not in the user's Box account.
  • You want to use your own identity system to authenticate your users.

Comparison Chart

The following chart compares the uses and capabilities of each authentication model.

OAuth 2
OAuth 2 with JWT

User Types

Managed Users
External Users

App Users

Authentication Flow

User is redirected to Box to login and authenticate app.

Direct server to server authentication.

Allows Alternate Authentication System?



Where is Content Stored?

Within the user's Box account.

Within the application service account or within the app user account.

Next Steps

Related Resources

  • User Types: Learn more about managed users, external users, and app users.
  • Security Guidelines: Learn more about the security, compliance, and permissions guidelines which Box adheres to.

Picking an Auth Type