Server-side authentication using JSON Web Tokens (JWT) is the most common way to
authenticate to the Box API. JWT is an open standard
designed to allow powerful server-to-server authentication.
Server-side authentication using JWT is only available to the Platform Application
. This authentication method does not require end-user
interaction and, if granted the proper privileges, can be used
to act on behalf of any user in an enterprise.
There are two ways you can verify an application’s permissions:
- using a public and private key pair
- using a client id and client secret ()
To learn more about these options visit our guide on using
.
Upon authorizing a JWT application, a
is automatically generated and is the default
Access Token used when authenticating. This is an admin-like user and why
applications leveraging JWT require explicit Box Admin approval before use.
When to use JWT
Server-side authentication with JWT is the ideal authentication method for apps
that:
- Work with users that don’t have a Box account
- Want to use their own identity system
- Don’t want users to have to know that they are using Box
- Want to store data within the application’s Box account and not within the the user’s Box account
Last modified on May 4, 2026