Setup with Client Credentials Grant

Setup with Client Credentials Grant


To set up a Custom App using server-side authentication, you will need to ensure you have access the Developer Console from your Box enterprise account. Alternatively, you may sign up for a developer account.

App creation steps

1. Navigate to the Developer Console

Log into Box and navigate to the Developer Console. Select Create New App.

2. Select the type of application

Select Custom App from the list of application types. A modal will appear to prompt a selection for the next step.

Auth selection screen

3. Select the type of authentication and application name

Select Server Authentication (with Client Credentials Grant) if you would like to verify application identity with a client ID and client secret. Then, provide a name for your application and click Create App.

Once you make a selection, you will not be able to change to a different authentication method without creating a new application.

App Authorization

Before the application can be used, a Box Admin needs to authorize the application within the Box Admin Console.

Navigate to the Authorization tab for your application within the Developer Console.

Add and Manage keys

Click Review and Submit to send an email to your Box enterprise Admin for approval. More information on this process is available in our authorization guide.

Learn how to authorize a Custom Application

Basic configuration

Application Access

An application's access level determines which users and content your app may access. By default, an application can only successfully interact with the content of its Service Account and any App Users. To also access existing Managed Users of an enterprise, navigate to the Application Access settings accessible via the Configuration tab of the Developer console and set to App + Enterprise Access.

App access level

Application Scopes

An application's scopes determine which endpoints and resources an application can successfully call. See the scopes guide for detailed information on each option.

App scopes

CORS Domains

If your application makes API calls from front-end browser code in Javascript, the domain that these calls are made from will need to be added to an allow-list due to Cross Origin Resource Sharing, also known as CORS. If all requests will be made from server-side code, you may skip this section.

To add the full URI(s) to the allow-list, navigate to the CORS Domain section at the bottom of the Configuration tab in the Developer console.

App CORS config

Using SDKs and Client Credentials Grant

To learn more about Client Credentials Grant for each SDK head over to: