> ## Documentation Index
> Fetch the complete documentation index at: https://developer.box.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Access Tokens
export const Link = ({href, children, className, ...props}) => {
const localizedHref = localizeLink(href);
return
{children}
;
};
Instead of a user name and password, Access Tokens are the credentials used to
represent the authenticated user to the Box servers.
## Token Object
### OAuth 2.0 authentication
When an Access Token is requested using OAuth 2.0, an Access Token and Refresh
Token pair are returned.
```sh theme={null}
curl -X POST https://api.box.com/oauth2/token \
-H "content-type: application/x-www-form-urlencoded" \
-d '...'
```
```json theme={null}
{
"access_token": "c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ",
"expires_in": 3600,
"token_type": "bearer",
"refresh_token": "c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ",
"issued_token_type": "urn:ietf:params:oauth:token-type:access_token"
}
```
Within this object we can see the token string (`access_token`), as well
as the Refresh Token (`refresh_token`) that can be used to request a new Access
Token when the current one expires (`expires_in`).
### Server authentication
When an Access Token is requested using JWT or Client Credentials Grant, only an
Access Token is returned:
```sh theme={null}
curl --location --request POST 'https://api.box.com/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode '...'
```
```json theme={null}
{
"access_token": "DkXZmsjUKizvL2z0WiaLvMBeQ756XCGGf",
"expires_in": 4123,
"restricted_to": [],
"issued_token_type": "bearer"
}
```
Within this object we can see the token string (`access_token`).
Because a Refresh Token is not returned, you must request a new token when the
Access Token expires (`expires_in`) using the token endpoint.