Skip to main content

Documentation Index

Fetch the complete documentation index at: https://developer.box.com/llms.txt

Use this file to discover all available pages before exploring further.

Prerequisites

To set up a Platform App using server-side authentication, you need to ensure you have access to the Developer Console from your Box enterprise account. Alternatively, you may sign up for a developer account.

App creation steps

Log into Box and go to the Developer Console. Select Platform Apps, then click New App.

Create a new app

On the Create a New App screen, enter your app name and select Client Credentials Grant from the App Type dropdown.
Create a New App screen
Once you make a selection, you are not able to change to a different authentication method without creating a new application.

App Authorization

Before the application can be used, a Box Admin or Co-Admin needs to authorize it. On the Configuration tab in the Developer Console:
  • If you are a Box Admin or Co-Admin, click Authorize to authorize the app immediately.
  • If you are not an Admin or Co-Admin, click Submit to send an authorization request to your Admin or Co-Admin. You receive an email once the request is approved or denied.
More information on this process is available in our .

Learn how to authorize a Platform Application

Basic configuration

Application Access

An application’s access level determines which users and content your app may access. By default, an application can only successfully interact with the content of its and any . To also access existing Managed Users of an enterprise, navigate to the App Access Level setting on the Configuration tab of the Developer console and set to App + Enterprise Access.
App access level
To authenticate as a Managed User or Admin, enable Generate User Access Tokens in the Additional Configuration section of the Configuration tab.

Application Scopes

An application’s scopes determine which endpoints and resources an application can successfully call. See the for detailed information on each option.
App scopes

CORS Domains

If your application makes API calls from front-end browser code in Javascript, the domain that these calls are made from needs to be added to an allow-list due to Cross Origin Resource Sharing, also known as CORS. If all requests are made from server-side code, you may skip this section. To add the full URI(s) to the allow-list, navigate to the CORS Domain section at the bottom of the Configuration tab in the Developer console.
App CORS config

Using SDKs and Client Credentials Grant

To learn more about Client Credentials Grant for each SDK head over to: