Box Developer Documentation
 

    Select Auth Method

    Select Auth Method

    The type of authorization your application can use depends on the type of Box Application that you've configured in the developer console.

    Learn how to select the application type for your app

    The following authorization methods are available to each Box application type.

    Box Application TypeSupports OAuth 2.0?JWT?Client Credentials?App Token?
    Custom AppYesYesYesNo
    Limited Access AppNoNoNoYes
    Custom SkillNoNoNoNo

    Client-side

    OAuth 2.0

    OAuth 2.0 requires the application to redirect end-users to their browser to login to Box and authorize the application to take actions on their behalf.

    Box OAuth 2.0 approval

    When to use OAuth 2.0?

    Client-side authentication is the ideal authentication method for apps that:

    • work with users who have existing Box accounts
    • use Box for identity management, so users know they are using Box
    • store data within each user account vs. within an application's Service Account

    Learn about client-side authentication with OAuth 2.0

    Server-side

    JWT

    Server-side authentication using JSON Web Tokens (JWT) does not require end-user interaction and, if granted the proper privileges, can be used to act on behalf of any user in an enterprise. Identity is validated using a JWT assertion and public/private keypair.

    Box JWT flow

    When to use JWT?

    Server-side authentication with JWT is the ideal authentication method for apps that:

    • work with users without Box accounts
    • use their own identity system
    • do not want users to know they are using Box
    • store data within the application's Service Account and not a user's account

    Learn about server-side authentication with JWT

    Client Credentials Grant

    Server-side authentication using Client Credentials Grant does not require end-user interaction and, if granted the proper privileges, can be used to act on behalf of any user in an enterprise. Identity is validated using the application's client ID and client secret.

    When to use a Client Credentials Grant?

    Server-side authentication with Client Credentials Grant is the ideal authentication method for apps that:

    • work with users without Box accounts
    • use their own identity management system
    • do not want users to know they are using Box
    • store data within the application's Service Account and not a user's account

    Learn about server-side authentication with Client Credentials Grant

    App Token

    A server-side App Token is an authentication method where the application only has access to read and write data to its own account. This is mainly used by Box View applications. By using this authentication method there is no need to authorize a user as the application is automatically authenticated as the application's Service Account.

    When to use App Tokens?

    Server-side authentication with App Tokens is the ideal authentication method for apps that:

    • work in an environment that either has no user model, or has users without Box accounts
    • use their own identity management system
    • do not want users to know they are using Box
    • store data within the application's Service Account and not a user's account

    Learn about server-side authentication with App Tokens

    Comparison

    The following is a quick overview of the key difference between client-side and server-side authentication.

    OAuth 2.0JWTClient CredentialsApp Tokens
    Requires user involvement?YesNoNoNo
    Requires admin approval?NoYesYesYes
    Can act on behalf of other users?YesYesYesNo
    Do users see Box?YesNoNoNo
    Can create App Users?NoYesYesNo

    An Access Token is tied to a specific Box user and the way the token has been obtained determines who that user is.

    For example, when using client-side authentication the token represents the user who granted access to their account, while while when using server-side authentication the token defaults to the application's Service Account.