Access Tokens

Guides Authentication Tokens Access Tokens

Access Tokens

Instead of a user name and password, Access Tokens are the credentials used to represent the authenticated user to the Box servers.

When an Access Token is requested using OAuth 2.0, an Access Token and Refresh Token pair are returned.

curl -X POST https://api.box.com/oauth2/token \
    -H "content-type: application/x-www-form-urlencoded" \
    -d '...'

{
  "access_token": "c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ",
  "expires_in": 3600,
  "token_type": "bearer",
  "refresh_token": "c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ",
  "issued_token_type": "urn:ietf:params:oauth:token-type:access_token"
}

Within this object we can see the token string (access_token), as well as the Refresh Token (refresh_token) that can be used to request a new Access Token when the current one expires (expires_in).

When an Access Token is requested using JWT or Client Credentials Grant, only an Access Token is returned:

curl --location --request POST 'https://api.box.com/oauth2/token' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode '...'

{
  "access_token": "DkXZmsjUKizvL2z0WiaLvMBeQ756XCGGf",
  "expires_in": 4123,
  "restricted_to": [],
  "issued_token_type": "bearer"
}

Within this object we can see the token string (access_token). Because a Refresh Token is not returned, you must request a new token when the Access Token expires (expires_in) using the token endpoint.

Access Tokens

Access Tokens

Token Object

OAuth 2.0 authentication

Server authentication