Box Developer Documentation

Retrieve an Access Token

Retrieve an Access Token

Every API call requires an Access Token to identify the authenticated user. For security purposes, Access Tokens expire after 60 minutes. If you are using OAuth 2.0, use the provided Refresh Token to obtain a new Access Token. If you are using server authentication, JWT or Client Credentials Grant, make an API call to the token endpoint to request a new Access Token.

OAuth 2.0

If your application leverages OAuth 2.0 for authentication, you can follow the steps below to obtain a token pair via Postman.

OAuth2.0 token request

  • The grant_type will always be authorization_code.
  • The client_id and client_secret values can be obtained from the Configuration tab for your application in the Developer Console.

To obtain the value for code, build and visit your authorization URL in your browser. Complete the OAuth 2.0 flow and, upon redirecting to your configured redirect URL, the authorization code will be at the end of the URL. As a reminder, this authorization code is only valid for 30 seconds. This means you must enter it to the designated field in Postman and click Send before it expires. Therefore, we recommend entering the other values so the API call is ready to send as soon as you get the code.

OAuth2.0 token request