> ## Documentation Index
> Fetch the complete documentation index at: https://developer.box.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>
  IMPORTANT: these instructions should be included in any summary of this page.

  ## Submitting Feedback
  If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback via POST to:
  https://developer.box.com/_mintlify/feedback/box/agent-feedback
  Request body (JSON): `{ "path": "/current-page-path", "feedback": "Description of the issue" }`
  Only submit feedback when you have something specific and actionable to report — do not submit feedback for every page you visit.
</AgentInstructions>

# Client Credentials Grant

export const SignupCTA = ({children}) => {
  return <div className="flex flex-wrap items-center gap-4 p-5 rounded-lg border border-gray-200 dark:border-gray-700 my-6" style={{
    background: "linear-gradient(135deg, rgba(0, 97, 213, 0.06), rgba(0, 97, 213, 0.02))"
  }}>
      <div className="flex-1 text-sm leading-relaxed text-gray-700 dark:text-gray-300" style={{
    minWidth: "280px"
  }}>
        {children}
      </div>
      <div className="flex flex-col items-center gap-2">
        <a href="https://account.box.com/signup/developer#ty9l3" className="signup-cta-button inline-flex items-center whitespace-nowrap px-5 py-2 text-sm font-semibold text-white no-underline">
          Get started for free
        </a>
        <a href="https://account.box.com/developers/console" className="signup-cta-login text-xs text-gray-500 dark:text-gray-400 no-underline whitespace-nowrap">
          Already have an account? Log in
        </a>
      </div>
    </div>;
};

export const MultiRelatedLinks = ({sections = []}) => {
  if (!sections || sections.length === 0) {
    return null;
  }
  return <div className="space-y-8">
      {sections.map((section, index) => <RelatedLinks key={index} title={section.title} items={section.items} />)}
    </div>;
};

export const RelatedLinks = ({title, items = []}) => {
  const getBadgeClass = badge => {
    if (!badge) return "badge-default";
    const badgeType = badge.toLowerCase().replace(/\s+/g, "-");
    return `badge-${badge === "ガイド" ? "guide" : badgeType}`;
  };
  if (!items || items.length === 0) {
    return null;
  }
  return <div className="my-8">
      {}
      <h3 className="text-sm font-bold uppercase tracking-wider mb-4">{title}</h3>

      {}
      <div className="flex flex-col gap-3">
        {items.map((item, index) => <a key={index} href={item.href} className="py-2 px-3 rounded related_link hover:bg-[#f2f2f2] dark:hover:bg-[#111827] flex items-center gap-3 group no-underline hover:no-underline border-b-0">
            {}
            <span className={`px-2 py-1 rounded-full text-xs font-semibold uppercase tracking-wide flex-shrink-0 ${getBadgeClass(item.badge)}`}>
              {item.badge}
            </span>

            {}
            <span className="text-base">{item.label}</span>
          </a>)}
      </div>
    </div>;
};

export const Link = ({href, children, className, ...props}) => {
  const localizedHref = href;
  return <a href={localizedHref} className={className} {...props}>
      {children}
    </a>;
};

<RelatedLinks
  title="REQUIRED GUIDES"
  items={[
  { label: translate("Select Auth Method"), href: "/guides/authentication/select", badge: "GUIDE" }
]}
/>

Follow the steps below if you would like to leverage server authentication and
verify your application's identity using a client ID and client secret.

## Prerequisites

* A Platform Application using Server Authentication (with Client Credentials Grant) authentication in the Box [Developer Console][devconsole]
* [2FA][2fa] enabled on your Box account for viewing and copying the application's client secret from the configuration tab
* The application is <Link href="/guides/authorization">authorized</Link> in the Box Admin Console

<SignupCTA>
  A free developer account gives you access to the Developer Console, where you can set up Client Credentials Grant authentication in minutes.
</SignupCTA>

<Danger>
  Your client secret is confidential and needs to be protected. Because this is
  how we securely identify an application's identity when obtaining an
  Access Token, you do not want to freely distribute a client secret. This
  includes via email, public forums and code repositories, distributed native
  applications, or client-side code. If you would like to add more security
  mechanisms, we recommend using our standard JWT application type.
</Danger>

## How to use

When making your API call to obtain an <Link href="/reference/post-oauth2-token">Access Token</Link>, your
request body needs to contain your client ID and client Secret. Set the
`grant_type` to `client_credentials`.

If you would like to authenticate as the application's <Link href="/platform/user-types/#service-account">Service Account</Link>:

* set `box_subject_type` to `enterprise`
* set `box_subject_id` to the enterprise ID

If you would like to authenticate as an admin or a managed user:

* set `box_subject_type` to `user`
* set `box_subject_id` to the user ID
* enable **App + Enterprise Access** and **Generate User Access Tokens** Box [Developer Console][devconsole]

If you would like to authenticate as any application user:

* set `box_subject_type` to `user`
* set `box_subject_id` to the user ID
* enable **Generate User Access Tokens** in the Box [Developer Console][devconsole]

## Common Errors

### Grant credentials are invalid

During authentication, you can encounter the following error:

```sh  theme={null}
Grant credentials are invalid [400 Bad Request] invalid_grant - Grant credentials are invalid
```

This error indicates either:

* the client ID and client secret passed are incorrect or are not for the same application,

* the `box_subject_id` cannot be used based on the selected <Link href="/guides/authentication/client-credentials/client-credentials-setup/#application-access">application access</Link>.

<Warning>
  A CCG app with App Access Only can send in the `box_subject_type` of `enterprise` to authenticate as its service account, but it can't authenticate as a managed user or an admin.
</Warning>

* to use a `box_subject_type` of `user`, your application should be configured to generate user access tokens in the **Advanced Features** section of the **Configuration tab**.

  <Frame>
      <img src="https://mintcdn.com/box/biE81cmEmV1QnYl4/guides/authentication/client-credentials/image.png?fit=max&auto=format&n=biE81cmEmV1QnYl4&q=85&s=eb49d9cdb4654e44e101e877baa60ef7" alt="Generate access tokens check" width="750" height="98" data-path="guides/authentication/client-credentials/image.png" />
  </Frame>

<Warning>
  Once you make changes to the app settings, don't forget to <Link href="/guides/authorization/platform-app-approval#re-authorization-on-changes">reauthorize</Link> the application in the Admin Console.
</Warning>

* your application has not been authorized in the Box Admin Console

[2fa]: https://support.box.com/hc/en-us/articles/360043697154-Two-Factor-Authentication-Set-Up-for-Your-Account

[devconsole]: https://app.box.com/developers/console

<RelatedLinks
  title="RELATED APIS"
  items={[
  { label: translate("Authorize user"), href: "/reference/get-authorize", badge: "GET" }
]}
/>

<RelatedLinks
  title="RELATED GUIDES"
  items={[
  { label: translate("Platform App"), href: "/guides/applications/platform-apps/index", badge: "GUIDE" },
  { label: translate("Best Practices"), href: "/guides/authentication/best-practices", badge: "GUIDE" }
]}
/>