> ## Documentation Index
> Fetch the complete documentation index at: https://developer.box.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Application Flow

export const Link = ({href, children, className, ...props}) => {
  const localizedHref = localizeLink(href);
  return <a href={localizedHref} className={className} {...props}>
      {children}
    </a>;
};

In general, applications use Terms of Services as follows.

When an application, authenticated as a user, tries to access an item in Box that
requires the user to have accepted the relevant Terms of Service it receives a
`TERMS_OF_SERVICE_REQUIRED`  error.

```json theme={null}
{
  "type": "error",
  "status": 400,
  "code": "terms_of_service_required",
  "context_info": {
    "tos_id": 261346614,
    "tos_user_status_id": 4562456
  },
  "help_url": "/guides/api-calls/permissions-and-errors/common-errors/",
  "message": "User must accept custom terms of service before action can be taken",
  "request_id": "ADF7722DD"
}
```

The application requests the Terms of Service's information by calling
<Link href="/reference/get-terms-of-services-id">`GET /terms_of_services/:id`</Link>.

```json theme={null}
{
  "id": 261346614,
  "type": "terms_of_service",
  "status": "enabled",
  "enterprise": {
    "id": 11446498,
    "type": "enterprise",
    "name": "Acme Inc."
  },
  "tos_type": "managed",
  "text": "By using this service, you agree to ...",
  "created_at": "2012-12-12T10:53:43-08:00",
  "modified_at": "2012-12-12T10:53:43-08:00"
}
```

The application can then show the text from the Terms of Service to the user.

When the user accepts or rejects the terms, it makes a call to either
<Link href="/reference/put-terms-of-service-user-statuses-id">`PUT /terms_of_service_user_statuses/:id`</Link> or
<Link href="/reference/post-terms-of-service-user-statuses">`POST /terms_of_service_user_statuses`</Link> depending on if the initial
error returned a `tos_user_status_id` in the response.

## Server authentication and acting on behalf of users

Applications using JWT, Client Credentials Grant (CCG), or OAuth 2.0 may act as
a <Link href="/platform/user-types/#service-account">service account</Link>, an <Link href="/platform/user-types/#app-user">App User</Link>, or a managed user.
Terms of Service enforcement depends on which user is in context for the API
request.

| Scenario                                                                                                            | Blocked if Managed Terms of Service not accepted?                       |
| ------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------- |
| API call with a service account or App User token (no `As-User`)                                                    | **No** — headless users are exempt                                      |
| API call with CCG/JWT and <Link href="/guides/authentication/oauth2/as-user">`As-User`</Link> set to a managed user | **Yes** — the user specified in the `As-User` header must have accepted |
| User access token issued for a managed user                                                                         | **Yes** — token issuance is blocked until Terms of Service is accepted  |
| OAuth authorization code flow for a managed user                                                                    | **Yes** — authorization is blocked until Terms of Service is accepted   |
| API call with `As-User` set to a service account or App User                                                        | **No** — headless users are exempt                                      |

### Accepting Terms of Service programmatically

When a managed user has not accepted Managed Terms of Service, most API calls
made on their behalf return `terms_of_service_required`. To resolve this
without requiring the user to sign in to the Box web application:

1. Obtain a server authentication access token (JWT or CCG).
2. Set the <Link href="/guides/authentication/oauth2/as-user">`As-User`</Link> header to the managed user's ID so subsequent
   requests run in that user's context.
3. Call the Terms of Service endpoints, which remain available even when Terms
   of Service acceptance is outstanding:
   * <Link href="/reference/get-terms-of-services-id">`GET /terms_of_services/:id`</Link> to retrieve the terms text
   * <Link href="/reference/post-terms-of-service-user-statuses">`POST /terms_of_service_user_statuses`</Link> or
     <Link href="/reference/put-terms-of-service-user-statuses-id">`PUT /terms_of_service_user_statuses/:id`</Link> to accept or reject
4. Retry the original API call.

An admin cannot accept Managed Terms of Service for another user without using
the `As-User` header to act as that user. Acceptance must be recorded for the
user who is subject to the Terms of Service.
