My Apps



    Authentication with the Box API uses an Access Token to identify a user. The way in which an Access Token is acquired depends on the method used to authorize a user. The type of authorization available to an application depends on the use-case as well as the type of application that has been created in the developer console.

    Box Application TypeAuthorization methods
    Custom AppOAuth 2.0, JWT, or App token
    Custom SkillNo authorization needed
    Enterprise IntegrationOAuth 2.0, JWT
    Partner IntegrationApp token

    Enterprise and Partner Integrations exist for legacy purposes. Please use Custom Apps instead and use the relevant authentication method where needed.

    Access Tokens for Authentication

    Every API endpoint requires a valid and active Access Token to make API calls. An Access Token is a unique string that identifies an authenticated Box user to the API endpoints.

    curl \
      -H "Authorization: Bearer EGmDmRVfhfHsqesn5yVYHAqUkD0dyDfk"

    User Authorization

    There are a few ways to get an an Access Token for a user. There is client-side authorization through OAuth 2.0, server-side authorization using JWT, as well as a long lived App Token and a short-lived Developer Token.