Box Developer Documentation
Log in

Select Auth Method

Guides Authentication Select Auth Method
Edit this page

Select Auth Method

The type of authorization your application can use depends on the type of Box Application that you've configured in the developer console.

Learn how to select the application type for your app

Available methods

The following authorization methods are available to each Box Application type.

Box Application TypeSupports OAuth 2.0?JWT?App Token?Developer Token?
Custom AppYesYesNoYes
Limited Access AppNoYesYesNo
Custom SkillNoNoNoNo

Client-side OAuth 2.0

Client-side OAuth 2.0 requires the application to redirect end-users to their browser to login to Box and authorize the application to take actions on their behalf.

Box OAuth 2.0 approval

When to use OAuth 2.0?

Client-side authentication is the ideal authentication method for apps that:

  • Work with users that already have existing Box accounts
  • Want or require users to know that they are using Box
  • Want to store data within the user's Box account and not within the the application's Box account

Learn about client-side authentication with OAuth 2.0

Server-side JWT

This authentication method does not require end-user interaction and, if granted the proper privileges, can be used to act on behalf of any user in an enterprise.

Server-side authentication using JSON Web Tokens (JWT) does not require end-user interaction and, if granted the proper privileges, can be used to act on behalf of any user in an enterprise. You can use a public and private key pair or your client ID and client secret to verify the application's permissions.

Box JWT flow

When to use JWT?

Server-side authentication with JWT is the ideal authentication method for apps that:

  • Work with users that don't have a Box account
  • Want to use their own identity system
  • Don't want users to have to know that they are using Box
  • Want to store data within the application's Box account and not within the the user's Box account

Learn about server-side authentication with JWT

Server-side App Tokens

A server-side App Token is an authentication method where the application only has access to read and write data to its own account. This is mainly used by Box View applications. By using this authentication method there is no need to authorize a user as the application is automatically authenticated as the Service Account that belongs to that application.

When to use App Tokens?

Server-side authentication with App Tokens is the ideal authentication method for apps that:

  • Work in an environment that either has no user model, or has users that don't have Box accounts
  • Want to use their own identity system
  • Don't want users to have to know that they are using Box
  • Want to store data in the application's Service Account and not a user's account

Learn about server-side authentication with App Tokens

Developer Token

A server-side Developer Token is a short-lived authentication available to developers creating applications that use OAuth 2.0. It is an Access Token that is only valid for 1 hour, and authenticates as the developer who created the token.

When to use a Developer Token?

A Developer Token is the ideal authentication method during development and testing. It is ideal in situations where the developer:

  • Wants to quickly test an API calls
  • Does not want to authenticate as a different user
  • Does not need the token for more than an hour
  • Does not intend to ship the code to production

Comparison

The following is a quick overview of the key difference between client-side and server-side authentication.

OAuth 2.0JWTApp TokensDeveloper Token
Requires user involvement?YesNoNoYes
Requires admin approval?NoYesYesNo
Can act on behalf of other users?YesYesNoYes
Do users see Box?YesNoNoYes
Can create App Users?NoYesNoYes
Can be used in production?YesYesYesNo

An Access Token is tied to a specific Box user and the way the token has been obtained determines who that user is.

For example, when using client-side authentication the token represents the user who granted access to their account, while while when using server-side authentication the token defaults to the application's Service Account.