A Custom Application using Server Authentication
(with Client Credentials Grant) authentication in the Box
Developer Console
2FA enabled on your Box account for viewing and copying the
application's client secret from the configuration tab
The application is authorized in the Box Admin Console
Your client secret is confidential and needs to be protected. Because this is
how we securely identify an application's identity when obtaining an
Access Token, you do not want to freely distribute a client secret. This
includes via email, public forums and code repositories, distributed native
applications, or client-side code. If you would like to add more security
mechanisms, we recommend using our standard JWT application type.
When making your API call to obtain an Access Token, your
request body needs to contain your client ID and client Secret. Set the
grant_type to client_credentials.
If you would like to authenticate as the application's Service Account:
set box_subject_type to enterprise
set box_subject_id to the enterprise ID
If you would like to authenticate as a Managed User:
import BoxSDK
let sdk = BoxSDK(clientId: "YOUR CLIENT ID HERE", clientSecret: "YOUR CLIENT SECRET HERE")
sdk.getCCGClientForAccountService(enterpriseId: "YOUR ENTERPRISE ID HERE") { result in
switch result {
case let .success(client):
// Use client to make API calls
case let .failure(error):
// Handle error creating client
}
}
the client ID and client secret passed are incorrect or are not for the same
application
the box_subject_id cannot be used based on the selected
application access. For example, if you send in a box_subject_type of
enterprise and your application is configured for App Access Only, the
grant credentials are invalid error will be returned