Skip to main content
POST
/
oauth2
/
token#refresh
cURL
curl -i -X POST "https://api.box.com/oauth2/token" \
     -H "content-type: application/x-www-form-urlencoded" \
     -d "client_id=[CLIENT_ID]" \
     -d "client_secret=[CLIENT_SECRET]" \
     -d "refresh_token=[REFRESH_TOKEN]" \
     -d "grant_type=refresh_token"
{
  "access_token": "c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ",
  "expires_in": 3600,
  "token_type": "bearer",
  "restricted_to": [
    {
      "scope": "item_download",
      "object": {
        "id": "12345",
        "type": "folder",
        "etag": "1",
        "sequence_id": "3",
        "name": "Contracts"
      }
    }
  ],
  "refresh_token": "c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ",
  "issued_token_type": "urn:ietf:params:oauth:token-type:access_token"
}

Documentation Index

Fetch the complete documentation index at: https://developer.box.com/llms.txt

Use this file to discover all available pages before exploring further.

This endpoint is in the version 2024.0. No changes are required to continue using it. For more details, see Box API versioning.Learn more about Box SDK versioning strategy.

Body

application/x-www-form-urlencoded

A request to refresh an Access Token. Use this API to refresh an expired Access Token using a valid Refresh Token.

grant_type
enum<string>
required

The type of request being made, in this case a refresh request.

Available options:
refresh_token
Example:

"refresh_token"

client_id
string
required

The client ID of the application requesting to refresh the token.

Example:

"ly1nj6n11vionaie65emwzk575hnnmrk"

client_secret
string
required

The client secret of the application requesting to refresh the token.

Example:

"hOzsTeFlT6ko0dme22uGbQal04SBPYc1"

refresh_token
string<token>
required

The refresh token to refresh.

Example:

"c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ"

Response

Returns a new Access Token that can be used to make authenticated API calls by passing along the token in a authorization header as follows Authorization: Bearer <Token>.

A token that can be used to make authenticated API calls.

access_token
string<token>

The requested access token.

Example:

"c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ"

expires_in
integer<int64>

The time in seconds by which this token will expire.

Example:

3600

token_type
enum<string>

The type of access token returned.

Available options:
bearer
Example:

"bearer"

restricted_to
Resource scope · object[]

The permissions that this access token permits, providing a list of resources (files, folders, etc) and the scopes permitted for each of those resources.

refresh_token
string<token>

The refresh token for this access token, which can be used to request a new access token when the current one expires.

Example:

"c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ"

issued_token_type
enum<string>

The type of downscoped access token returned. This is only returned if an access token has been downscoped.

Available options:
urn:ietf:params:oauth:token-type:access_token
Example:

"urn:ietf:params:oauth:token-type:access_token"