Token Request

A request for a new OAuth2 token

string / token
c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ

The actor token used to create an annotator token. This is a JWT assertion.

Used in combination with urn:ietf:params:oauth:grant-type:token-exchange as the grant_type.

string / urn
urn:ietf:params:oauth:token-type:id_token

Value is always "urn:ietf:params:oauth:token-type:id_token"

string / jwt
xxxxx.yyyyy.zzzzz

A JWT assertion for which to request a new access token.

Used in combination with urn:ietf:params:oauth:grant-type:jwt-bearer as the grant_type.

string
ly1nj6n11vionaie65emwzk575hnnmrk

The Client ID of the application requesting an access token.

Used in combination with authorization_code or urn:ietf:params:oauth:grant-type:jwt-bearer as the grant_type.

hOzsTeFlT6ko0dme22uGbQal04SBPYc1

The client secret of the application requesting an access token.

Used in combination with authorization_code or urn:ietf:params:oauth:grant-type:jwt-bearer as the grant_type.

string / token
n22JPxrh18m4Y0wIZPIqYZK7VRrsMTWW

The client-side authorization code passed to your application by Box in the browser redirect after the user has successfully granted your application permission to make API calls on their behalf.

Used in combination with authorization_code as the grant_type.

string / urn
authorization_code

The type of request being made, either using a client-side obtained authorization code, a refresh token, a JWT assertion, or another access token for the purpose of downscoping a token.

Value is one of "authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer", "urn:ietf:params:oauth:grant-type:token-exchange"

string / token
c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ

A refresh token used to get a new access token with.

Used in combination with refresh_token as the grant_type.

string / url
https://api.box.com/2.0/files/123456

Full URL for the file that the token should be generated for.

string / space_delimited_list
item_upload item_preview base_explorer

The space-delimited list of scopes that you want apply to the new access token.

The subject_token will need to have all of these scopes or the call will error with 401 Unauthorized.

string / token
c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ

The token to exchange for a downscoped token. This can be a regular access token, a JWT assertion, or an app token.

Used in combination with urn:ietf:params:oauth:grant-type:token-exchange as the grant_type.

urn:ietf:params:oauth:token-type:access_token

Value is always "urn:ietf:params:oauth:token-type:access_token"

Response Example

{
  "grant_type": "authorization_code",
  "client_id": "ly1nj6n11vionaie65emwzk575hnnmrk",
  "client_secret": "hOzsTeFlT6ko0dme22uGbQal04SBPYc1",
  "code": "n22JPxrh18m4Y0wIZPIqYZK7VRrsMTWW",
  "refresh_token": "c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ",
  "assertion": "xxxxx.yyyyy.zzzzz",
  "subject_token": "c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ",
  "subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
  "actor_token": "c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ",
  "actor_token_type": "urn:ietf:params:oauth:token-type:id_token",
  "scope": "item_upload item_preview base_explorer",
  "resource": "https://api.box.com/2.0/files/123456"
}