Skip to main content
Solved

Clarification on Box MCP Integration Setup

  • June 2, 2026
  • 2 replies
  • 76 views
B

 We are building a web-based LLM platform (similar to Claude and ChatGPT) and are planning to integrate with Box via MCP (Model Context Protocol). We have noted that Box hosts a remote MCP server at https://mcp.box.com and would like to proceed with the integration. Before doing so, we have a few prerequisite questions:

1. MCP Integration Prerequisites: What are the prerequisites to integrate with Box's MCP server? Is registration or access approval required before connecting?

2. Redirect URL / Whitelist Requirement: For OAuth-based MCP authentication, do we need to register or whitelist any redirect URLs on your end? If yes, where do we submit or register them?

3. Marketplace / App Listing: We noticed your integrations page at Box MCP Server - https://developer.box.com/guides/box-mcp#platform-setup-guides, where tools like Claude, ChatGPT, Microsoft Copilot, and Cursor are listed as MCP-compatible integrations. Since our product is a similar LLM platform, we would like to explore getting listed as well. What is the process to submit or publish our app on this page?

4. Subdomain Architecture: We would like to understand if Box uses subdomain-based architecture for organizations or workspaces — for example, companyname.box.com. If yes, do we need to handle subdomain resolution on our end during the OAuth or MCP integration flow?

5. Admin Console Configuration: We also came across the following in your documentation: "An admin enables MCP in the Box Admin Console and, for custom clients, creates Integration Credentials (OAuth client ID and client secret, redirect URI, and scopes such as Content Actions)."

Could you please share any additional documentation, partner program details, or step-by-step guides related to this configuration?

6. Regional or Other Restrictions: Is the Box MCP server available globally, or are there any regional restrictions, plan-level limitations, or other eligibility requirements that may affect access? We would appreciate any guidance or relevant resources to help us move forward efficiently. Thank you.

Best answer by thomasdeely Box

Thanks ​@BoxExploration answers from our team here. 

 

Question: MCP Integration Prerequisites: What are the prerequisites to integrate with Box's MCP server? Is registration or access approval required before connecting?

 

Answer: MCP Integration Prerequisites

There are no special prerequisites to integrate with Box’s MCP server, the prerequisites are the same for any other MCP server as defined by the MCP Protocol.

However, to support our preview tool the client needs to support MCP Apps and MCP Resources. Even if the client does not support these, all of the other tools are still compatible.

 

  • Admin Enablement: To connect to the Box MCP Server, a Box Admin must first enable the integration in the Box Admin Console under Integrations (by searching for “Box MCP Server” or filtering by the “MCP” category) and set its availability status to “Available to all users” (as detailed in Box MCP Server Docs.boxnote and MCP Docs.boxnote).

  • Access Approval / Registration: Yes, registration is required. Because the Box MCP Server does not support Dynamic Client Registration (DCR) at this time, you must manually register an OAuth 2.0 app in the Box Developer Console or generate custom credentials in the Admin Console to obtain a Client ID and Client Secret (referenced in Box MCP Server Documentation content.boxnote).

  • AI API Enablement: If your platform plans to leverage Box AI tools (such as AI QA or AI Extract), the admin must explicitly enable the AI API under Admin Console → Box AI → Settings → Enable AI API (MCP FAQ.boxnote).

 

Question: Redirect URL / Whitelist Requirement: For OAuth-based MCP authentication, do we need to register or whitelist any redirect URLs on your end? If yes, where do we submit or register them?

Answer: Redirect URL / Whitelist Requirement

  • Yes, registration is required. For OAuth-based MCP authentication, you must register your client’s Redirect URIs on the Box side.

  • Where to submit/register:

    1. Sign in to the Box Admin Console (https://app.box.com/master).

    2. Navigate to Integrations and find the Custom Box MCP Server (or “Box MCP Server”).

    3. Hover over the application and click Configure.

    4. In the Additional Configuration section, click + Add Integration Credentials.

    5. Under Redirect URIs, enter the Redirect URI provided by your external MCP Client/platform and save (Box MCP Server Documentation content.boxnote and Box MCP Server Docs.boxnote).

 

If you are building an OAuth app in developer console, it would be COnfiguration → Redirect URIs.

 

Question: Marketplace / App Listing: We noticed your integrations page at Box MCP Server - https://developer.box.com/guides/box-mcp#platform-setup-guides, where tools like Claude, ChatGPT, Microsoft Copilot, and Cursor are listed as MCP-compatible integrations. Since our product is a similar LLM platform, we would like to explore getting listed as well. What is the process to submit or publish our app on this page?

Answer: Marketplace / App Listing

  • Predefined App Directory: Predefined integrations (such as Claude, ChatGPT, and Figma) are listed in the Box Admin Console’s Integrations catalog so that admins can enable them directly without needing custom credentials (Box MCP Server Documentation content.boxnote).

  • Submission Process:
    To start, build an OAuth App in Box Developer console. This can be published within the Integrations center. The approval process is handled by our Business Development department.

    To explore getting your LLM platform listed as a predefined, compatible MCP integration on the developer guides and the Admin Console Integrations catalog, you should coordinate with the Business Development (BD) and Partner Product Management teams. You can initiate this process by reaching out to your Box partner representative or submitting an integration request through the Box Developer Portal.

 

Question: Subdomain Architecture: We would like to understand if Box uses subdomain-based architecture for organizations or workspaces — for example, companyname.box.com. If yes, do we need to handle subdomain resolution on our end during the OAuth or MCP integration flow?

Answer: Subdomain Architecture

 

  • OAuth Resolution: Box does utilize subdomain-based architecture for enterprise organizations (e.g., companyname.box.com). However, for standard OAuth 2.0 and MCP integration flows, authentication requests are routed through Box’s centralized OAuth endpoints (e.g., https://account.box.com/api/oauth2/authorize and https://api.box.com/oauth2/token) which are exposed according to RFC 8414 (Box MCP Server Documentation content.boxnote and MCP Docs.boxnote).

  • Resolution Handling: Your integration does not need to dynamically resolve or handle custom subdomains on your end during the initial OAuth handshake, as Box’s central authorization server automatically handles the user’s session and redirects them back to your registered static Redirect URI.

 

Question: Admin Console Configuration: We also came across the following in your documentation: "An admin enables MCP in the Box Admin Console and, for custom clients, creates Integration Credentials (OAuth client ID and client secret, redirect URI, and scopes such as Content Actions)."

Answer: Admin Console Configuration Guides

To configure custom client credentials step-by-step, an IT Admin should follow these instructions (Box MCP Server Docs.boxnote and MCP Docs.boxnote):

  1. Sign in to the Box Admin Console (https://app.box.com/master).

  2. Go to Integrations and find Custom Box MCP Server (using the MCP Category filter or search bar).

  3. Hover over the app and click Configure.

  4. In the Additional Configuration section, click + Add Integration Credentials to generate a new Client ID and Client Secret.

  5. In the Redirect URIs field, input your platform’s callback URL.

  6. Under Access Scopes, ensure the required scopes are checked:

    • Read all files and folders stored in Box

    • Read and write all files and folders stored in Box (if write actions are needed)

    • Manage AI Requests (required to use Box AI tools)

  7. Click Save.

 

Question: Regional or Other Restrictions: Is the Box MCP server available globally, or are there any regional restrictions, plan-level limitations, or other eligibility requirements that may affect access? We would appreciate any guidance or relevant resources to help us move forward efficiently. Thank you.

Answer: Regional or Other Restrictions

  • Global Availability: The Box MCP server endpoint (https://mcp.box.com) is globally accessible.

  • Plan-Level Limitations: Access to specific tools is governed by the customer’s Box plan (MCP Chargeability and Access.boxnote):

    • Box Hubs tools are restricted to Enterprise and above plans.

    • Box AI tools (AI QA, AI Extract) require a paid business plan with Box AI enabled (Business and above) and require the admin to have enabled the AI API in the Admin Console.

    • Users on plans without Box AI (or free/developer accounts) can still access standard Box data tools (searching, listing folders, downloading/uploading files) but will not have access to Box AI-powered tools.

  • Domain Allowlisting: Certain clients (such as Claude) require domain allowlisting for upload and download URLs to function correctly (MCP FAQ.boxnote). These domains may differ depending on your Box Zone, see here for more details.

 

Let us know if you need more details!

 

    2 replies

    thomasdeely Box
    Forum|alt.badge.img
    • thomasdeely Box
    • Sr. Community Manager
    • Answer
    • June 11, 2026

    Thanks ​@BoxExploration answers from our team here. 

     

    Question: MCP Integration Prerequisites: What are the prerequisites to integrate with Box's MCP server? Is registration or access approval required before connecting?

     

    Answer: MCP Integration Prerequisites

    There are no special prerequisites to integrate with Box’s MCP server, the prerequisites are the same for any other MCP server as defined by the MCP Protocol.

    However, to support our preview tool the client needs to support MCP Apps and MCP Resources. Even if the client does not support these, all of the other tools are still compatible.

     

    • Admin Enablement: To connect to the Box MCP Server, a Box Admin must first enable the integration in the Box Admin Console under Integrations (by searching for “Box MCP Server” or filtering by the “MCP” category) and set its availability status to “Available to all users” (as detailed in Box MCP Server Docs.boxnote and MCP Docs.boxnote).

    • Access Approval / Registration: Yes, registration is required. Because the Box MCP Server does not support Dynamic Client Registration (DCR) at this time, you must manually register an OAuth 2.0 app in the Box Developer Console or generate custom credentials in the Admin Console to obtain a Client ID and Client Secret (referenced in Box MCP Server Documentation content.boxnote).

    • AI API Enablement: If your platform plans to leverage Box AI tools (such as AI QA or AI Extract), the admin must explicitly enable the AI API under Admin Console → Box AI → Settings → Enable AI API (MCP FAQ.boxnote).

     

    Question: Redirect URL / Whitelist Requirement: For OAuth-based MCP authentication, do we need to register or whitelist any redirect URLs on your end? If yes, where do we submit or register them?

    Answer: Redirect URL / Whitelist Requirement

    • Yes, registration is required. For OAuth-based MCP authentication, you must register your client’s Redirect URIs on the Box side.

    • Where to submit/register:

      1. Sign in to the Box Admin Console (https://app.box.com/master).

      2. Navigate to Integrations and find the Custom Box MCP Server (or “Box MCP Server”).

      3. Hover over the application and click Configure.

      4. In the Additional Configuration section, click + Add Integration Credentials.

      5. Under Redirect URIs, enter the Redirect URI provided by your external MCP Client/platform and save (Box MCP Server Documentation content.boxnote and Box MCP Server Docs.boxnote).

     

    If you are building an OAuth app in developer console, it would be COnfiguration → Redirect URIs.

     

    Question: Marketplace / App Listing: We noticed your integrations page at Box MCP Server - https://developer.box.com/guides/box-mcp#platform-setup-guides, where tools like Claude, ChatGPT, Microsoft Copilot, and Cursor are listed as MCP-compatible integrations. Since our product is a similar LLM platform, we would like to explore getting listed as well. What is the process to submit or publish our app on this page?

    Answer: Marketplace / App Listing

    • Predefined App Directory: Predefined integrations (such as Claude, ChatGPT, and Figma) are listed in the Box Admin Console’s Integrations catalog so that admins can enable them directly without needing custom credentials (Box MCP Server Documentation content.boxnote).

    • Submission Process:
      To start, build an OAuth App in Box Developer console. This can be published within the Integrations center. The approval process is handled by our Business Development department.

      To explore getting your LLM platform listed as a predefined, compatible MCP integration on the developer guides and the Admin Console Integrations catalog, you should coordinate with the Business Development (BD) and Partner Product Management teams. You can initiate this process by reaching out to your Box partner representative or submitting an integration request through the Box Developer Portal.

     

    Question: Subdomain Architecture: We would like to understand if Box uses subdomain-based architecture for organizations or workspaces — for example, companyname.box.com. If yes, do we need to handle subdomain resolution on our end during the OAuth or MCP integration flow?

    Answer: Subdomain Architecture

     

    • OAuth Resolution: Box does utilize subdomain-based architecture for enterprise organizations (e.g., companyname.box.com). However, for standard OAuth 2.0 and MCP integration flows, authentication requests are routed through Box’s centralized OAuth endpoints (e.g., https://account.box.com/api/oauth2/authorize and https://api.box.com/oauth2/token) which are exposed according to RFC 8414 (Box MCP Server Documentation content.boxnote and MCP Docs.boxnote).

    • Resolution Handling: Your integration does not need to dynamically resolve or handle custom subdomains on your end during the initial OAuth handshake, as Box’s central authorization server automatically handles the user’s session and redirects them back to your registered static Redirect URI.

     

    Question: Admin Console Configuration: We also came across the following in your documentation: "An admin enables MCP in the Box Admin Console and, for custom clients, creates Integration Credentials (OAuth client ID and client secret, redirect URI, and scopes such as Content Actions)."

    Answer: Admin Console Configuration Guides

    To configure custom client credentials step-by-step, an IT Admin should follow these instructions (Box MCP Server Docs.boxnote and MCP Docs.boxnote):

    1. Sign in to the Box Admin Console (https://app.box.com/master).

    2. Go to Integrations and find Custom Box MCP Server (using the MCP Category filter or search bar).

    3. Hover over the app and click Configure.

    4. In the Additional Configuration section, click + Add Integration Credentials to generate a new Client ID and Client Secret.

    5. In the Redirect URIs field, input your platform’s callback URL.

    6. Under Access Scopes, ensure the required scopes are checked:

      • Read all files and folders stored in Box

      • Read and write all files and folders stored in Box (if write actions are needed)

      • Manage AI Requests (required to use Box AI tools)

    7. Click Save.

     

    Question: Regional or Other Restrictions: Is the Box MCP server available globally, or are there any regional restrictions, plan-level limitations, or other eligibility requirements that may affect access? We would appreciate any guidance or relevant resources to help us move forward efficiently. Thank you.

    Answer: Regional or Other Restrictions

    • Global Availability: The Box MCP server endpoint (https://mcp.box.com) is globally accessible.

    • Plan-Level Limitations: Access to specific tools is governed by the customer’s Box plan (MCP Chargeability and Access.boxnote):

      • Box Hubs tools are restricted to Enterprise and above plans.

      • Box AI tools (AI QA, AI Extract) require a paid business plan with Box AI enabled (Business and above) and require the admin to have enabled the AI API in the Admin Console.

      • Users on plans without Box AI (or free/developer accounts) can still access standard Box data tools (searching, listing folders, downloading/uploading files) but will not have access to Box AI-powered tools.

    • Domain Allowlisting: Certain clients (such as Claude) require domain allowlisting for upload and download URLs to function correctly (MCP FAQ.boxnote). These domains may differ depending on your Box Zone, see here for more details.

     

    Let us know if you need more details!

     

      M

      Thank you for providing these details. You're asking the right questions before proceeding with a Box MCP integration. Based on the documentation and typical OAuth/MCP integration patterns, here are some points that may help:

      1. MCP Integration Prerequisites
        • You'll typically need a Box application configured with the appropriate OAuth settings and scopes.
        • Access to the Box MCP server may require an enterprise account and admin approval, depending on the capabilities your integration needs.
      2. Redirect URL / Whitelisting
        • For OAuth authentication, redirect URIs generally need to be registered in your Box application configuration.
        • Ensure your callback URLs are configured exactly as they will be used in production.
      3. Marketplace / Integration Listing
        • Public listing on Box documentation or integration pages is usually handled through a partnership or integration review process.
        • Contacting the Box Developer Relations or Partner team is typically the best first step to discuss listing requirements and eligibility.
      4. Subdomain Architecture
        • Box generally uses a centralized authentication model rather than requiring customer-specific subdomains during OAuth flows.
        • In most integrations, you won't need to perform custom subdomain resolution, though enterprise-specific configurations may exist.
      5. Admin Console Configuration
        • Enterprise admins typically need to:
          • Enable MCP access.
          • Create Integration Credentials (Client ID and Client Secret).
          • Configure redirect URIs.
          • Grant required scopes and permissions.
        • Be sure to request only the scopes your application actually requires.
      6. Regional and Plan Restrictions
        • Availability may depend on Box plan type, enterprise settings, and rollout status of MCP-related features.
        • Some capabilities may require Enterprise or higher-tier plans and may not be available in all environments immediately.

      Given the strategic nature of your platform, I'd recommend reaching out directly to Box's Developer Relations or Partner team for official guidance on MCP onboarding, listing opportunities, and any enterprise requirements. They can provide the most up-to-date information regarding access approval, supported scopes, and integration publication processes.

      Terms of ServiceAccessibility statement