Tokens

At the core of every Box API call is an Access Token. Similar to using the Box Web App, you will only be able to successfully interact with content the user associated with the Access Token either a collaborator on or owns. This can be further restricted by downscoping a token.

Required access scopes, application access, enabled advanced settings, user permissions, and endpoint-specific restrictions all work together to determine which API calls will be successful. For example, even if a user has collaborator access to a folder, a call to get information about the folder will not be successful if the read scope is not granted to the application.

Type	Duration
Access Token	60 minutes
Refresh Token	60 days or one use
Developer Token	60 minutes

The following shows how each application type is expected to create an Access Token.

Box Application Type	How to get Access Token
Custom App + OAuth 2.0	Explicit user grant
Custom App + JWT	Exchange a JWT assertion
Custom App + Client Credentials Grant	Use client ID and client secret
Limited Access App + App Token	Configure token in Developer Console
Custom Skill	Access Token in event payload

Tokens

Tokens

Types of tokens

Application Types & Access Tokens