API

The OAuth 2.1 “spec” simplifies some of the OAuth 2.0 specifications (e.g. eliminates those that are no longer considered secure, etc). One of the things OAuth 2.1 suggests is using PKCE even for Confidential (Server Side Clients). Here’s what OAuth 2.1 says, " PKCE is required for all OAuth clients using the authorization code flow" I don’t see any mention of PKCE in the Box documentation. Can you tell me if PKCE is being considered for future Box authentication?

Hi - Has there been any change or update to the BOX SFTP? I was able to connect to BOX via SFTP on Thursday, but since Friday I’ve been receiving the error ““Failed: Interactive authentication announced but rejected”. Our login credentials have not changed. I followed the below link to setup the connection.https://urldefense.com/v3/__https://support.box.com/hc/en-us/articles/ [removed by moderator] -Using-Box-with-SFTP__;!!NFWRZ6kECLqu!phiDSBMaKKLIQkISKivtTPZYrj23HEG8wLvWvYQ7EtkrwGihuhmkKAxBQanR5ATwNDCndxzRxby5xEylRR87YSbL$Thank you,Supritha.

Hi everyone, I’m looking to use the Box CLI Scripts to bulk delete Open links in Box in certain folders. I looked at the list of properties you can attach to the string and see nothing that specifies to target Open links, is there a way I can do that or is the script set to delete everything in the folder? Help would be appreciated :)

Hello,I’m facing an issue with Box Sign API: I upload a file via API and create a Sign Request — API responds successfully, but the sign email is not sent. If I upload the same file manually in the same folder and create a Sign Request, the email is sent. Question: How can I make API-uploaded files trigger the sign email automatically, like manually uploaded files?

Hi Box Team,I have a question regarding how API calls are counted towards the license-based rate limit when downloading a file.According to the File Download Guide, when I download a file, the SDK (or my app) first sends:GET https://api.box.com/2.0/files/{file_id}/contentThen Box responds with a 302 redirect, and my client follows it by making:GET https://dl.boxcloud.com/d/1/[long-random-string]/download

Hello,I’m facing an issue with my application that uses Client Credentials Grant. The app has already been authorized by the organization admin.I’m able to authenticate successfully using this request:curl --location 'https://api.box.com/oauth2/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode 'client_id=<CLIENT_ID>' \ --data-urlencode 'client_secret=<CLIENT_SECRET>' \ --data-urlencode 'box_subject_type=enterprise' \ --data-urlencode 'box_subject_id=<ENTERPRISE_ID>'  With the token obtained, I can successfully call the metadata endpoint:curl --location 'https://api.box.com/2.0/files/<FILE_ID>' \ --header 'authorization: Bearer <TOKEN>'  This returns the file information correctly.However, when I try to download the file, I get a

The OAuth "Grant Access" modal/page is not formatting the redirect URL so that it fits in the provided area, even for URLs of reasonable length.  Looks unprofessional. Suggest that the URL be wrapped so that it fits within the allotted space.

HiI have 3 systems that all need to see updates from Box.  Some of these will cross over (Ie Only 1 system needs to know about signatures but all 3 systems need to see updates about new files created)I know I can not create 3 webhooks against the same folder but can I create a folder structure Folder 1 - Folder 2 - Folder 3 and then my structure beneath folder 3 and attach a single webhook to each of the three folders?  Any activity within the lower levels would in theory trigger all 3 webhooks and update to 3 locations?I know I can not create a webhook at Root!Thanks in advance 

I’m running a fairly straight-forward “ask ai question” API call, but it seems to be failing silently and returning a blank.  Using the same agent and prompt on box.com in UI on the same file, I get an answer, but when I call the exact same thing via API I get a blank.  I’m using the older boxsdk in python.  This is what my code looks like:  items = [ { "id": file_id, "type": "file", "content": "This is the document in PDF format" } ] ai_agent = { 'id':'40266263', 'type': 'ai_agent_id' } result = client.send_ai_question( items=items, prompt=prompt, mode="single_item_qa", ai_agent=ai_agent ) And I get this response:{'answer': '[]', 'created_at': '2025-09-12T08:47

Do any one has any experience connecting Business Objects to Box? We are trying to schedule the file transfer from Business Objects to Box and not able to make the successful connection.

We are needing further clarification on which API calls are chargeable in regards to custom apps.It seems like from our testing that below is true :1 : Upload/Download calls are NOT charged2 : Failed calls are NOT chargedWe are looking at developing a new custom app that will replace our current one for provisioning/deprovisioning users on a daily basis as we are a large org and want to do more than just creating/disabling/deleting users like having reports automatically run or updating metadata.Is there a list or document that details which calls are chargeable and which aren’t?Thanks!

Hey allRegarding use of Box’s `expiring_embed` preview a la:https://app.box.com/preview/expiring_embed/[HASH]?[parameterName]=trueWe’re having difficulties with it on mobile devices. Is it supported on mobile?We’re aware that this page: https://developer.box.com/guides/embed/box-embed/, indicates that there are limitations for displaying on mobile, but it does not explicitly mention that it is not supported. Could this be related to something like X-Frame-Options being DENY’d for security? Thank you-Dave

Using the `https://app.box.com/preview/expiring_embed/[HASH]?[parameterName]=true` route a la: https://developer.box.com/guides/embed/box-embed/#finding-your-shared-link-valueIs there a way to disable the header, or at least, hide/change the “Box” icon at the top of the embedded view?   For context, we’re using this method of previewing a Box File through Outsystem’s ODC IFrameFlowReact module Thank you-Dave

Hi All, We are getting the following error while trying to upload documents. Do you know how to fix this issue? Access to XMLHttpRequest at 'https://api.box.com/2.0/files/content' from origin 'https://abc--c.vf.force.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.Understand this errorgatherer.js:1  OPTIONS https://api.box.com/2.0/files/content net::ERR_FAILED 401 (Unauthorized) Thanks, Chitra

Hello,I’m trying to set an expiration date for a collaborator when inviting them to a folder using the POST /collaborations API.As stated in the API reference, I included the expires_at parameter in my request.However, even after adjusting the Enterprise settings, the expiration date I set is always overridden by the Enterprise policy (60 days).  Here is the request body I sent:{ "item": { "type": "folder", "id": "1234567890" }, "accessible_by": { "type": "user", "login": "user@example.com" }, "role": "editor", "expires_at": "2025-12-30T23:59:59+00:00"

Hello, I’m a software developer, and I made the integration of you application to use the box APIs, it was working well until now, I have an example that I can’t find a solution. If I try to upload a file using the original name “H09819620250904163224INNTRANSCAN.CSV” I’m getting the error 400 - Bad Request, but if I just rename the same file to be “Test.CSV” or any other shorter name it works well without any error. I simulated a double call doing the original name, and getting the error 400, and in sequence just renamed the file to Test.CSV and it worked with no error. At all the documentation and posts we have the information that the limit is 255, but the file name that I’m trying to send is 32, so should be all good. Any suggestion ?  Same file, just copy or renamed. 

Hi, Can you add the Manage Legal Holds scope to these two applications?sidfwd19e6n55hbbwtcuvsidwyd9kysntv46fuavh0flj4fd2gjyn2fqq6s3zhmlThanks

I’m trying to transfer files and folders from one Box user to another. The technique is described in this post:developer.box.com/guides/users/deprovision/transfer-folders/#collaboration-transfer-methodThe last step of the process is to remove access for the owner by removing the collaboration:developer.box.com/guides/users/deprovision/transfer-folders/#remove-transfer-from-user-as-ownerHowever, when you use the API to get collaborations of files and folders using the API, the API only returns the collaborations of users other than the current owner.There was a similar post about this issue in:

Using an App+Enterprise JWT (server Auth) Service Account I am unable to interact with other service accounts using the Box API./users - return only users not service accounts/folders/0/items - returns 403 when I am impersonating (As-User) a Service Account userId.The issue is that I am trying to find all files in the organization, and service accounts can hold files/folders under their file tree, but these are unreachable using the API.Is there any way to find service Accounts and read their files using the API?

My BOX and Salesforce connection was working fine, and the connection was established between the BOX and Salesforce until last week. Starting this week, I am getting “Invalid Crypto Error” while Salesforce and BOX tries to connect.No, update is being made on the Private Key, and the Private Key is not expired as well, and no updates are being made on the BOX as well. All of sudden, the connection between BOX and Salesforce died on me. I tried to look for this issue in BOX and found this article which is not so helpful. My Private key is not encrypted to follow the encryption. I am using PKCS#8 PEM Format Private Key to connect it to BOX. Any suggestion or help on this issue will be really appreciated.Thank you!

During call to query folder by metadata I'm getting HTTP 400 - too_many_instances, this is happening just with one box subscription, it's working for the other oneRequest:curl --location 'https://api.box.com/2.0/metadata_queries/execute_read' \--header 'box-version: 2024.0' \--header 'Content-Type: application/json' \--header 'Authorization: Bearer ****' \--data '{ "from": "enterprise_1234.metadata", "query": "entityId = :entityId and entityType = :entityType", "query_params": { "entityId": 1, "entityType": "TEST_FOLDER" }, "fields": [ "id" ], "ancestor_folder_id": "0"}'Response:{ "type": "error", "status": 400, "code": "too_many_instances", "help_url": "https://developer.box.com/reference/post-metadata-queries-execut

issue 1: Were I have a box account as a admin and have the access to the whole box and things in there i am a partner on a box app in the developer console which i can’t able to access to the webhook v2 (with the signature and security) there i have enabled the manage webhook there but i can’t be able to use the webhook tab in there and use them there…issue 2: were there is no option for creating the access token (the permanent developer token) for my application there i need the specific steps to do it and enable them as well.. I need the proper steps to mitigate these issues and solve it the docs of the box are not suffice in some aspects in there which misses out the the primary and complete steps in there can you guide me through the steps to solve these things in there. 

 OverviewWhen executing the following API, only certain accounts are unable to retrieve the file list, which prevents the process from proceeding.If you have any insights on possible causes or solutions, I would greatly appreciate your guidance. Target APIhttps://api.box.com/2.0/folders/${folderId}/items?fields=id%2Cname%2Ctype%2Cmodified_at%2Cextension%2Cshared_link%2Cexpiring_embed_link&limit=100&offset=0 OAuth Endpoint Authorization: https://account.box.com/api/oauth2/authorize Revoke: https://api.box.com/oauth2/revoke Scope

Hi, I couldn’t find any information on whether I can create custom apps on Business and Business Plus plans. And if we can, can we enable the “App + Enterprise Access” scope for the custom app? Thanks!

Hi, im using n8n box create folder node, sometimes i get this error, seems like box api issues?{  "errorMessage": "The DNS server returned an error, perhaps the server is offline",  "errorDetails": {    "rawErrorMessage": [      "getaddrinfo EAI_AGAIN api.box.com",      "getaddrinfo EAI_AGAIN api.box.com"    ],    "httpCode": "EAI_AGAIN"  },  "n8nDetails": {    "nodeName": "Create a folder",    "nodeType": "n8n-nodes-base.box",    "nodeVersion": 1,    "resource": "folder",    "operation": "create",    "time": "8/11/2025, 5:29:04 PM",    "n8nVersion": "1.102.3 (Self Hosted)",    "binaryDataMode": "default",    "stackTrace": [      "NodeApiError: The DNS server returned an error, perhaps the server is offline",      "    at ExecuteContext.boxApiRequest (/usr/local/lib/node_modules/n8n/node_modules/.pnpm/n8n-nodes-base@file+packages+nodes-base_@aws-sdk+credentia