Box Developer Documentation
 

    Tokens

    Tokens

    At the core of every Box API call is an Access Token. Similar to using the Box Web App, you will only be able to successfully interact with content the user associated with the Access Token either a collaborator on or owns. This can be further restricted by downscoping a token.

    Required access scopes, application access, enabled advanced settings, user permissions, and endpoint-specific restrictions all work together to determine which API calls will be successful. For example, even if a user has collaborator access to a folder, a call to get information about the folder will not be successful if the read scope is not granted to the application.

    Types of tokens

    TypeDuration
    Access Token60 minutes
    Refresh Token60 days or one use
    Developer Token60 minutes

    Application Types & Access Tokens

    The following shows how each application type is expected to create an Access Token.

    Box Application TypeHow to get Access Token
    Custom App + OAuth 2.0Explicit user grant
    Custom App + JWTExchange a JWT assertion
    Custom App + Client Credentials GrantUse client ID and client secret
    Limited Access App + App TokenConfigure token in Developer Console
    Custom SkillAccess Token in event payload