JWT Auth

JWT Auth

Server-side authentication using JSON Web Tokens (JWT) is the most common way to authenticate to the Box API. JWT is an open standard designed to allow powerful server-to-server authentication.

The JWT flow

Server-side authentication using JWT is only available to the Custom Application app type. This authentication method does not require end-user interaction and, if granted the proper privileges, can be used to act on behalf of any user in an enterprise.

There are two ways you can verify an application's permissions:

  • using a public and private key pair
  • using a client id and client secret (Client Credentials Grant)

To learn more about these options visit our guide on using JWT without SDKs.

At this time, our SDKs do not support the Client Credential Grant.

Upon authorizing a JWT application in the Box Admin Console, a Service Account is automatically generated and is the default Access Token used when authenticating. This is an admin-like user and why applications leveraging JWT require explicit Box Admin approval before use.

When to use JWT

Server-side authentication with JWT is the ideal authentication method for apps that:

  • Work with users that don't have a Box account
  • Want to use their own identity system
  • Don't want users to have to know that they are using Box
  • Want to store data within the application's Box account and not within the the user's Box account