AI
App item associations
Authorization
- Resources
  - Access token
  - OAuth 2.0 error
- Endpoints
Box Sign requests
Box Sign templates
Classifications
Classifications on files
Classifications on folders
Collaborations
Collaborations (List)
Collections
Comments
Device pinners
Doc Gen
Doc Gen templates
Domain restrictions (User exemptions)
Domain restrictions for collaborations
Downloads
Email aliases
Events
File requests
File version legal holds
File version retentions
File versions
Files
Folder Locks
Folders
Group memberships
Groups
Integration mappings
Invites
Legal hold policies
Legal hold policy assignments
Metadata cascade policies
Metadata instances (Files)
Metadata instances (Folders)
Metadata templates
Recent items
Retention policies
Retention policy assignments
Search
Session termination
Shared links (Files)
Shared links (Folders)
Shared links (Web Links)
Shield information barrier reports
Shield information barrier segment members
Shield information barrier segment restrictions
Shield information barrier segments
Shield information barriers
Skills
Standard and Zones Storage Policies
Standard and Zones Storage Policy Assignments
Task assignments
Tasks
Terms of service
Terms of service user statuses
Transfer folders
Trashed files
Trashed folders
Trashed items
Trashed web links
Uploads
Uploads (Chunked)
User avatars
Users
Watermarks (Files)
Watermarks (Folders)
Web links
Webhooks
Workflows
Zip Downloads
Resources

Latest version

Request access token

post

https://api.box.com

/oauth2/token

This endpoint is in the version 2024.0. No changes are required to continue using it. For more details, see Box API versioning.

Request an Access Token using either a client-side obtained OAuth 2.0 authorization code or a server-side JWT assertion.

An Access Token is a string that enables Box to verify that a request belongs to an authorized session. In the normal order of operations you will begin by requesting authentication from the authorize endpoint and Box will send you an authorization code.

You will then send this code to this endpoint to exchange it for an Access Token. The returned Access Token can then be used to to make Box API calls.

Related Guides

Request

content-typeapplication/x-www-form-urlencoded

Request Body

actor_token string (token)in bodyoptional

example"c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ"

The token used to create an annotator token. This is a JWT assertion.

Used in combination with urn:ietf:params:oauth:grant-type:token-exchange as the grant_type.

actor_token_type string (urn)in bodyoptional

example"urn:ietf:params:oauth:token-type:id_token"

The type of actor_token passed in.

Used in combination with urn:ietf:params:oauth:grant-type:token-exchange as the grant_type.

Value is always urn:ietf:params:oauth:token-type:id_token

assertion string (jwt)in bodyoptional

example"xxxxx.yyyyy.zzzzz"

A JWT assertion for which to request a new access token.

Used in combination with urn:ietf:params:oauth:grant-type:jwt-bearer as the grant_type.

box_shared_link string (url)in bodyoptional

example"https://cloud.box.com/s/123456"

Full URL of the shared link on the file or folder that the token should be generated for.

box_subject_id stringin bodyoptional

example"123456789"

Used in combination with client_credentials as the grant_type. Value is determined by box_subject_type. If user use user ID and if enterprise use enterprise ID.

box_subject_type stringin bodyoptional

example"enterprise"

Used in combination with client_credentials as the grant_type.

Value is one of enterprise,user

client_id stringin bodyoptional

example"ly1nj6n11vionaie65emwzk575hnnmrk"

The Client ID of the application requesting an access token.

Used in combination with authorization_code, client_credentials, or urn:ietf:params:oauth:grant-type:jwt-bearer as the grant_type.

client_secret stringin bodyoptional

example"hOzsTeFlT6ko0dme22uGbQal04SBPYc1"

The client secret of the application requesting an access token.

Used in combination with authorization_code, client_credentials, or urn:ietf:params:oauth:grant-type:jwt-bearer as the grant_type.

code string (token)in bodyoptional

example"n22JPxrh18m4Y0wIZPIqYZK7VRrsMTWW"

The client-side authorization code passed to your application by Box in the browser redirect after the user has successfully granted your application permission to make API calls on their behalf.

Used in combination with authorization_code as the grant_type.

grant_type string (urn)in bodyrequired

example"authorization_code"

The type of request being made, either using a client-side obtained authorization code, a refresh token, a JWT assertion, client credentials grant or another access token for the purpose of downscoping a token.

Value is one of authorization_code,refresh_token,client_credentials,urn:ietf:params:oauth:grant-type:jwt-bearer,urn:ietf:params:oauth:grant-type:token-exchange

refresh_token string (token)in bodyoptional

example"c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ"

A refresh token used to get a new access token with.

Used in combination with refresh_token as the grant_type.

resource string (url)in bodyoptional

example"https://api.box.com/2.0/files/123456"

Full URL for the file that the token should be generated for.

scope string (space_delimited_list)in bodyoptional

example"item_upload item_preview base_explorer"

The space-delimited list of scopes that you want apply to the new access token.

The subject_token will need to have all of these scopes or the call will error with 401 Unauthorized.

subject_token string (token)in bodyoptional

example"c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ"

The token to exchange for a downscoped token. This can be a regular access token, a JWT assertion, or an app token.

Used in combination with urn:ietf:params:oauth:grant-type:token-exchange as the grant_type.

subject_token_type stringin bodyoptional

example"urn:ietf:params:oauth:token-type:access_token"

The type of subject_token passed in.

Used in combination with urn:ietf:params:oauth:grant-type:token-exchange as the grant_type.

Value is always urn:ietf:params:oauth:token-type:access_token

Response

200application/jsonAccess token

Returns a new Access Token that can be used to make authenticated API calls by passing along the token in a authorization header as follows Authorization: Bearer <Token>.

400application/jsonOAuth 2.0 error

An authentication error.

defaultapplication/jsonOAuth 2.0 error

An authentication error.

post

Request access token

You can now try out some of our APIs live, right here in the documentation.

Request Example

cURL

curl -i -X POST "https://api.box.com/oauth2/token" \
     -H "content-type: application/x-www-form-urlencoded" \
     -d "client_id=[CLIENT_ID]" \
     -d "client_secret=[CLIENT_SECRET]" \
     -d "code=[CODE]" \
     -d "grant_type=authorization_code"

TypeScript Gen

await auth.retrieveToken();

Python Gen

auth.retrieve_token()

.NET Gen

await auth.RetrieveTokenAsync();

Swift Gen (Beta)

try await auth.retrieveToken();

Python

from boxsdk import Client

# Make sure that the csrf token you get from the `state` parameter
# in the final redirect URI is the same token you get from the
# get_authorization_url method to protect against CSRF vulnerabilities.
assert 'THE_CSRF_TOKEN_YOU_GOT' == csrf_token
access_token, refresh_token = oauth.authenticate('YOUR_AUTH_CODE')
client = Client(oauth)

Response Example

{
  "access_token": "c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ",
  "expires_in": 3600,
  "issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
  "refresh_token": "c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ",
  "restricted_to": [
    {
      "object": {
        "etag": "1",
        "id": "12345",
        "type": "folder",
        "name": "Contracts",
        "sequence_id": "3"
      },
      "scope": "item_download"
    }
  ],
  "token_type": "bearer"
}

Resources

Endpoints

Request access token

Related Guides

Request Body