> ## Documentation Index
> Fetch the complete documentation index at: https://developer.box.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Setup with JWT

export const SignupCTA = ({children}) => {
  return <div className="flex flex-wrap items-center gap-4 p-5 rounded-lg border border-gray-200 dark:border-gray-700 my-6" style={{
    background: "linear-gradient(135deg, rgba(0, 97, 213, 0.06), rgba(0, 97, 213, 0.02))"
  }}>
      <div className="flex-1 text-sm leading-relaxed text-gray-700 dark:text-gray-300" style={{
    minWidth: "280px"
  }}>
        {children}
      </div>
      <div className="flex flex-col items-center gap-2">
        <a href="https://account.box.com/signup/developer#ty9l3" className="signup-cta-button inline-flex items-center whitespace-nowrap px-5 py-2 text-sm font-semibold text-white no-underline">
          Get started for free
        </a>
        <a href="https://account.box.com/developers/console" className="signup-cta-login text-xs text-gray-500 dark:text-gray-400 no-underline whitespace-nowrap">
          Already have an account? Log in
        </a>
      </div>
    </div>;
};

export const MultiRelatedLinks = ({sections = []}) => {
  if (!sections || sections.length === 0) {
    return null;
  }
  return <div className="space-y-8">
      {sections.map((section, index) => <RelatedLinks key={index} title={section.title} items={section.items} />)}
    </div>;
};

export const RelatedLinks = ({title, items = []}) => {
  const getBadgeClass = badge => {
    if (!badge) return "badge-default";
    const badgeType = badge.toLowerCase().replace(/\s+/g, "-");
    return `badge-${badge === "ガイド" ? "guide" : badgeType}`;
  };
  if (!items || items.length === 0) {
    return null;
  }
  return <div className="my-8">
      {}
      <h3 className="text-sm font-bold uppercase tracking-wider mb-4">{title}</h3>

      {}
      <div className="flex flex-col gap-3">
        {items.map((item, index) => <a key={index} href={item.href} className="py-2 px-3 rounded related_link hover:bg-[#f2f2f2] dark:hover:bg-[#111827] flex items-center gap-3 group no-underline hover:no-underline border-b-0">
            {}
            <span className={`px-2 py-1 rounded-full text-xs font-semibold uppercase tracking-wide flex-shrink-0 ${getBadgeClass(item.badge)}`}>
              {item.badge}
            </span>

            {}
            <span className="text-base">{item.label}</span>
          </a>)}
      </div>
    </div>;
};

export const Link = ({href, children, className, ...props}) => {
  const localizedHref = localizeLink(href);
  return <a href={localizedHref} className={className} {...props}>
      {children}
    </a>;
};

<RelatedLinks
  title="REQUIRED GUIDES"
  items={[
{ label: translate("Select Auth Method"), href: "/guides/authentication/select", badge: "GUIDE" },
{ label: translate("Platform App"), href: "/guides/applications/platform-apps/index", badge: "GUIDE" },
{ label: translate("Platform App Approval"), href: "/guides/authorization/platform-app-approval", badge: "GUIDE" }
]}
/>

A Platform App can be set up to use server-side authentication with
<Link href="/guides/authentication/jwt">JWT</Link>.

<Card href={localizeLink("/guides/authentication/jwt")} arrow title="Learn how JWT authentication works" />

## Prerequisites

To set up a Platform App using server-side authentication, you need to ensure
you have access the [Developer Console][devconsole] from your Box enterprise
account. Alternatively, you may sign up for a [developer account][devaccount].

<SignupCTA>
  Don't have a Box account yet? A free developer account gives you access to the Developer Console, where you can create and configure JWT applications.
</SignupCTA>

## App creation steps

### Navigate to the Developer Console

Log into Box and go to the [Developer Console][devconsole].
Select **Platform Apps**, then click **New App**.

### Create a new app

On the **Create a New App** screen, enter your app name
and select **Server Auth - JWT** from the **App Type** dropdown.

<Frame border>
  <img src="https://mintcdn.com/box/J0IlfoFf_v0hLHOU/images/guides/authentication/create-new-app.png?fit=max&auto=format&n=J0IlfoFf_v0hLHOU&q=85&s=e1118ea7200b15165c48f314ea4e9d0f" alt="Create a New App screen" width="1024" height="891" data-path="images/guides/authentication/create-new-app.png" />
</Frame>

<Warning>
  Once you make a selection, you are not able to change to a different
  authentication method without creating a new application.
</Warning>

## Public and private key pair

<Info>
  This section can be skipped if you selected Server Authentication
  (Client Credentials Grant) as your authentication method.
</Info>

Once a Platform App is created leveraging Server Authentication with JWT, a key
pair can be generated via the configuration tab within the
[Developer Console][devconsole]. Alternatively, you can generate your
own and supply Box with the public key. Regardless of the method you select,
your Box account needs to have [2FA][2fa] enabled for security purposes.

### Generate a keypair (Recommended)

If you would like to use a Box generated keypair, navigate to the
[Developer Console][devconsole] where you can generate a configuration file.
This file includes a public/private keypair and a number of other application
details that are necessary for authentication.

To generate this file, navigate to the **Configuration** tab of the
[Developer Console][devconsole] and scroll down to the
**Add and Manage Public Keys** section.

<Frame border width="600" center>
  <img src="https://mintcdn.com/box/KBEcg4yicgc_HMRY/images/guides/authentication/app-add-keys.png?fit=max&auto=format&n=KBEcg4yicgc_HMRY&q=85&s=bcd5821de9325694967f83c381e27e23" alt="Add and Manage keys" width="1400" height="476" data-path="images/guides/authentication/app-add-keys.png" />
</Frame>

Click the **Generate a Public/Private Keypair** button to have Box generate a
keypair you. This triggers the download of a JSON configuration file that
you can move to your application code.

<Danger>
  For security reasons, Box does not store your private key. If you lose your
  private key, you need to reset the entire keypair.
</Danger>

### Manually add keypair

Alternatively, you may generate your own keypair and upload the public key to
the [Developer Console][devconsole].

To create a keypair using OpenSSL, open a terminal window and run the
following commands.

```shell theme={null}
openssl genrsa -des3 -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
```

<Info>
  **For Windows Systems**

  Windows users can install and use the [Cygwin][cygwin] package to run OpenSSL.
</Info>

Then, navigate to the configuration tab for your application within the
[Developer console][devconsole] and scroll down to the
**Add and Manage Public Keys** section.

<Frame border width="600" center>
  <img src="https://mintcdn.com/box/KBEcg4yicgc_HMRY/images/guides/authentication/app-add-keys.png?fit=max&auto=format&n=KBEcg4yicgc_HMRY&q=85&s=bcd5821de9325694967f83c381e27e23" alt="Add and Manage keys" width="1400" height="476" data-path="images/guides/authentication/app-add-keys.png" />
</Frame>

Click the **Add a Public Key** button, enter the public key generated using the
steps above and click **Verify and Save**.

## App Authorization

Before the application can be used, a Box Admin or Co-Admin needs to authorize it.

On the **Configuration** tab in the [Developer Console][devconsole]:

* If you are a Box Admin or Co-Admin, click **Authorize** to authorize the app immediately.
* If you are not an Admin or Co-Admin, click **Submit** to send an authorization request to your Admin or Co-Admin. You receive an email once the request is approved or denied.

More information on this process is available in our
[support article for app authorization][app-auth].

<Card href={localizeLink("/guides/authorization/platform-app-approval")} arrow title="Learn how to authorize a Platform Application" />

## Basic configuration

### Application Access

An application's access level determines which users and content your app may
access. By default, an application can only successfully interact with the
content of its <Link href="/platform/user-types/#service-account">Service Account</Link> and any <Link href="/platform/user-types">App Users</Link>.
To access existing Managed Users of an
enterprise and groups that were not created by
the app itself, navigate to the **App Access Level**
setting accessible on the **Configuration** tab of the
[Developer console][devconsole] and set
to **App + Enterprise Access**. Otherwise, access to such
Managed Users and groups is blocked.

<Frame>
  <img src="https://mintcdn.com/box/J0IlfoFf_v0hLHOU/images/guides/authentication/app-access-level-new.png?fit=max&auto=format&n=J0IlfoFf_v0hLHOU&q=85&s=8e1e5f2e6b2d8b5fb45f50d0798c5064" alt="App access level" width="1024" height="275" data-path="images/guides/authentication/app-access-level-new.png" />
</Frame>

### Application Scopes

An application's scopes determine which endpoints and resources an application
can successfully call. See the <Link href="/guides/api-calls/permissions-and-errors/scopes">scopes guide</Link> for detailed information
on each option.

<Frame>
  <img src="https://mintcdn.com/box/KBEcg4yicgc_HMRY/images/guides/authentication/app-scopes.png?fit=max&auto=format&n=KBEcg4yicgc_HMRY&q=85&s=7d6a76fe395fc483d33179f6c4ad34e1" alt="App scopes" width="1227" height="640" data-path="images/guides/authentication/app-scopes.png" />
</Frame>

### CORS Domains

If your application makes API calls from front-end browser code in
Javascript, the domain that these calls are made from needs to be
added to an allow-list due to [Cross Origin Resource Sharing][cors],
also known as CORS. If all requests are made from server-side code,
you may skip this section.

To add the full URI(s) to the allow-list, navigate to the **CORS Domain**
section at the bottom of the **Configuration** tab in the
[Developer console][devconsole].

<Frame>
  <img src="https://mintcdn.com/box/KBEcg4yicgc_HMRY/images/guides/authentication/app-cors.png?fit=max&auto=format&n=KBEcg4yicgc_HMRY&q=85&s=12de7f8cec95dc4317b02172ef10e9df" alt="App CORS config" width="1504" height="378" data-path="images/guides/authentication/app-cors.png" />
</Frame>

[devconsole]: https://app.box.com/developers/console

[devaccount]: https://account.box.com/signup/n/developer

[devtoken]: /guides/authentication/tokens/developer-tokens

[cors]: https://en.wikipedia.org/wiki/Cross-origin_resource_sharing

{/* i18n-enable localize-links */}

[cygwin]: http://www.cygwin.com/

[app-auth]: https://support.box.com/hc/en-us/articles/360043697174-Authorizing-Apps-in-the-Box-App-Approval-Process

{/* i18n-enable localize-links */}

[2fa]: https://support.box.com/hc/en-us/articles/360043697154-Two-Factor-Authentication-Set-Up-for-Your-Account

[ccg]: /guides/authentication/jwt/without-sdk/#client-credentials-grant

<RelatedLinks
  title="RELATED GUIDES"
  items={[
{ label: translate("JWT Auth"), href: "/guides/authentication/jwt/index", badge: "GUIDE" }
]}
/>
