post
https://api.box.com
/oauth2/token
Request an Access Token using either a client-side obtained OAuth 2.0authorization code or a server-side JWT assertion.
An Access Token is a string that enables Box to verify that arequest belongs to an authorized session. In the normal order ofoperations you will begin by requesting authentication from theauthorize endpoint and Box will send you anauthorization code.
You will then send this code to this endpoint to exchange it foran Access Token. The returned Access Token can then be used to to makeBox API calls.
Request
application/x-www-form-urlencoded
Request Body
string (token)in bodyoptional
"c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ"
The token used to create an annotator token.This is a JWT assertion.
Used in combination with urn:ietf:params:oauth:grant-type:token-exchange
as the grant_type
.
string (urn)in bodyoptional
"urn:ietf:params:oauth:token-type:id_token"
The type of actor_token
passed in.
Used in combination with urn:ietf:params:oauth:grant-type:token-exchange
as the grant_type
.
Value is always urn:ietf:params:oauth:token-type:id_token
string (jwt)in bodyoptional
"xxxxx.yyyyy.zzzzz"
A JWT assertion for which to request a new access token.
Used in combination with urn:ietf:params:oauth:grant-type:jwt-bearer
as the grant_type
.
stringin bodyoptional
"123456789"
Used in combination with client_credentials
as the grant_type
.Value is determined by box_subject_type
. If user
use user ID and ifenterprise
use enterprise ID.
stringin bodyoptional
"enterprise"
Used in combination with client_credentials
as the grant_type
.
Value is one of enterprise
,user
stringin bodyoptional
"ly1nj6n11vionaie65emwzk575hnnmrk"
The Client ID of the application requesting an access token.
Used in combination with authorization_code
, client_credentials
, orurn:ietf:params:oauth:grant-type:jwt-bearer
as the grant_type
.
stringin bodyoptional
"hOzsTeFlT6ko0dme22uGbQal04SBPYc1"
The client secret of the application requesting an access token.
Used in combination with authorization_code
, client_credentials
, orurn:ietf:params:oauth:grant-type:jwt-bearer
as the grant_type
.
string (token)in bodyoptional
"n22JPxrh18m4Y0wIZPIqYZK7VRrsMTWW"
The client-side authorization code passed to your application byBox in the browser redirect after the user has successfullygranted your application permission to make API calls on theirbehalf.
Used in combination with authorization_code
as the grant_type
.
string (urn)in bodyrequired
"authorization_code"
The type of request being made, either using a client-side obtainedauthorization code, a refresh token, a JWT assertion, client credentialsgrant or another access token for the purpose of downscoping a token.
Value is one of authorization_code
,refresh_token
,client_credentials
,urn:ietf:params:oauth:grant-type:jwt-bearer
,urn:ietf:params:oauth:grant-type:token-exchange
string (token)in bodyoptional
"c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ"
A refresh token used to get a new access token with.
Used in combination with refresh_token
as the grant_type
.
string (url)in bodyoptional
"https://api.box.com/2.0/files/123456"
Full URL for the file that the token should be generated for.
string (space_delimited_list)in bodyoptional
"item_upload item_preview base_explorer"
The space-delimited list of scopes that you want apply to thenew access token.
The subject_token
will need to have all of these scopes orthe call will error with 401 Unauthorized.
string (token)in bodyoptional
"c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ"
The token to exchange for a downscoped token. This can be a regularaccess token, a JWT assertion, or an app token.
Used in combination with urn:ietf:params:oauth:grant-type:token-exchange
as the grant_type
.
stringin bodyoptional
"urn:ietf:params:oauth:token-type:access_token"
The type of subject_token
passed in.
Used in combination with urn:ietf:params:oauth:grant-type:token-exchange
as the grant_type
.
Value is always urn:ietf:params:oauth:token-type:access_token
Response
application/jsonAccess token
Returns a new Access Token that can be used to make authenticatedAPI calls by passing along the token in a authorization header asfollows Authorization: Bearer <Token>
.
application/jsonOAuth 2.0 error
An authentication error.
application/jsonOAuth 2.0 error
An authentication error.
post
Request access token
You can now try out some of our APIs live, righthere in the documentation.
Request Example
curl -i -X POST "https://api.box.com/oauth2/token" \ -H "content-type: application/x-www-form-urlencoded" \ -d "client_id=[CLIENT_ID]" \ -d "client_secret=[CLIENT_SECRET]" \ -d "code=[CODE]" \ -d "grant_type=authorization_code"
from boxsdk import Client# Make sure that the csrf token you get from the `state` parameter# in the final redirect URI is the same token you get from the# get_authorization_url method to protect against CSRF vulnerabilities.assert 'THE_CSRF_TOKEN_YOU_GOT' == csrf_tokenaccess_token, refresh_token = oauth.authenticate('YOUR_AUTH_CODE')client = Client(oauth)
Response Example
{ "access_token": "c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ", "expires_in": 3600, "issued_token_type": "urn:ietf:params:oauth:token-type:access_token", "refresh_token": "c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ", "restricted_to": [ { "scope": "item_download", "object": { "id": "12345", "etag": "1", "type": "folder", "sequence_id": "3", "name": "Contracts" } } ], "token_type": "bearer"}