Skip to main content
Server-side authentication using JSON Web Tokens (JWT) is the most common way to authenticate to the Box API. JWT is an open standard designed to allow powerful server-to-server authentication.
The JWT flow
Server-side authentication using JWT is only available to the Platform Application . This authentication method does not require end-user interaction and, if granted the proper privileges, can be used to act on behalf of any user in an enterprise. There are two ways you can verify an application’s permissions:
  • using a public and private key pair
  • using a client id and client secret ()
To learn more about these options visit our guide on using . Upon authorizing a JWT application in the Box Admin Console, a is automatically generated and is the default Access Token used when authenticating. This is an admin-like user and why applications leveraging JWT require explicit Box Admin approval before use.

When to use JWT

Server-side authentication with JWT is the ideal authentication method for apps that:
  • Work with users that don’t have a Box account
  • Want to use their own identity system
  • Don’t want users to have to know that they are using Box
  • Want to store data within the application’s Box account and not within the the user’s Box account