My Apps

    Select Auth Method

    Select Auth Method

    The type of authorization your application can use depends on the type of Box Application that you've configured in the developer console.

    Available methods

    The following authorization methods are available to each Box Application type.

    Box Application TypeSupports OAuth 2.0?JWT?App Token?Developer Token?
    Custom AppYesYesYesYes
    Custom SkillNoNoNoNo
    Enterprise IntegrationYesYesNoYes
    Partner IntegrationNoNoYesNo

    Enterprise and Partner Integrations exist for legacy purposes. Please use Custom Apps instead and use the relevant authentication method where needed.

    When you are creating a Custom Skill or Partner Integration application there is no need to select a authentication method as there is no choice to be made.

    In the case of Custom Skills, there isn't even a need to set up anything further as every Skills Event-payload will include an Access Token that can be used to make the API calls.

    Client-side OAuth 2.0

    Client-side OAuth 2.0 is only available to Custom Apps and Enterprise Integrations. It requires the application to redirect a user to the Box website to grant the application's access to their data.

    Box OAuth 2.0 approval

    When to use OAuth 2.0?

    Client-side authentication is the ideal authentication method for apps that:

    • Work with users that already have existing Box accounts
    • Want or require users to know that they are using Box
    • Want to store data within the user's Box account and not within the the application's Box account

    Server-side JWT

    Server-side authentication using JSON Web Tokens (JWT) is only available to Custom Apps and Enterprise Integrations. It does not involve a user into the authorization flow and as such can be used to act on behalf of any user in an enterprise. JWT uses a public/private key pair verify the application's permissions.

    Box JWT flow

    When to use JWT?

    Server-side authentication with JWT is the ideal authentication method for apps that:

    • Work with users that don't have a Box account
    • Want to use their own identity system
    • Don't want users to have to know that they are using Box
    • Want to store data within the application's Box account and not within the the user's Box account

    Server-side App Tokens

    A server-side App Token is an authentication method where the application only has access to read and write data to its own account. This is mainly used by Box View applications. By using this authentication method there is no need to authorize a user as the application is automatically authenticated as the Service Account that belongs to that application.

    When to use App Tokens?

    Server-side authentication with App Tokens is the ideal authentication method for apps that:

    • Work in an environment that either has no user model, or has users that don't have Box accounts
    • Want to use their own identity system
    • Don't want users to have to know that they are using Box
    • Want to store data in the application's Service Account and not a user's account

    Developer Token

    A server-side Developer Token is a short-lived authentication available to developers creating applications that use OAuth 2.0. It is an Access Token that is only valid for 1 hour, and authenticates as the developer who created the token.

    When to use a Developer Token?

    A Developer Token is the ideal authentication method during development and testing. It is ideal in situations where the developer:

    • Wants to quickly test an API calls
    • Does not want to authenticate as a different user
    • Does not need the token for more than an hour
    • Does not intend to ship the code to production

    Comparison

    The following is a quick overview of the key difference between client-side and server-side authentication.

    OAuth 2.0JWTApp TokensDeveloper Token
    Requires user involvement?YesNoNoYes
    Requires admin approval?NoYesYesNo
    Can act on behalf of other users?YesYesNoYes
    Do users see Box?YesNoNoYes
    Can create App Users?NoYesNoYes
    Can be used in production?YesYesYesNo

    An Access Token is tied to a specific Box user and the way the token has been obtained determines who that user is.

    For example, when using client-side authentication the token represents the user who granted access to their account, while while when using server-side authentication the token defaults to a Service Account.