API

Hi everyone,I'm trying to integrate Box with WatsonX Orchestrate, and I’ve run into an issue I hope someone can help me with.Here’s my setup:I created a Box application using OAuth 2.0 with Client Credentials Grant (Server Authentication). The application has already been approved by the Box administrator. I’m attempting to connect this Box app to WatsonX Orchestrate. However, when I try to establish the connection from WatsonX Orchestrate, I get the following error:redirect_uri_mismatchI understand that this error typically means the redirect URI used in the authentication flow doesn’t match what’s registered in the Box Developer Console. But since I’m using Client Credentials Grant, there shouldn’t be a redirect URI involved, right?Has anyone successfully c

We are using Box from the user's perspective. We have an Enterprise license.It seems that the SFTP feature has been implemented, so I tried to check the connection because I want to use it for our regular operations, but it appears to be denied with 'Permission denied'.I would like to contact the Box administrator, but is there any permission setting that needs to be configured on the administrator side?ー　ー　ーboxをユーザ側の立場で利用しています。enterpriseライセンスです。SFTPの機能が実装されたということで、普段の運用業務で利用したいと思い接続確認してみましたが、Permission deniedで拒否されてしまうようです。box管理者に問い合わせしたいのですが、管理者側で何か許可設定をする必要はあるのでしょうか。

I’m an admin trying to transfer files from one user who has left our organization to her supervisor… however… I am getting an error "Source User is locked" with the API or “...is in another operation” when attempting to move files or change the folder owner in Box -- it’s been several days and it just never changes. I’ve tried several things and tried waiting for days -- but this is just a weird account that won’t budge.

Hi all — looking for guidance and confirmation on a BC/DR pattern for Box SSO.Current state (redacted): Box Enterprise with SAML SSO enabled. Primary IdP = a third-party SAML provider (not Okta). “SSO Required” is OFF so password logins remain possible. Two Box admin accounts have SSO bypass enabled and strong passwords (tested at https://account.box.com/login). A standby Okta SAML configuration is pre-staged in Enterprise Settings → Authentication (uploaded Okta IdP metadata & SHA-256 signing cert). Okta app uses NameID = EmailAddress; app username = email; standard givenName/sn claims. No change to the production IdP yet—we only want an emergency fallback. SCIM provisioning from Okta i

I’m trying to confirm whether or not Box development could support setting up an SFTP server with Elliptic Curve Digital Signature Algorithm (ECDSA), such as using Server-side authentication using JSON Web Tokens (JWT).  And if so can anyone estimate the effort and/or point me to relevant examples or docs? I know that SFTP is supported with a user password (not SSO) per Box docs, but the financial services client I’m working has security stipulations allowing SFTP but only with key pair authorization (ECDSA preferred). I’m otherwise looking at setting up a basic Azure blob storage SFTP but they don’t support ECDSA specifically, and our teams already use Box for internal project document storage and sharing, so Box would be a preferred method for us if it’s possible. Overall goal is to be able to securely share files back and forth with external clients without requiring Box user licenses and access for those clients individual team members f

I am using a free account and want to generate access token from client credentials without browser login just through api calls.

The OAuth 2.1 “spec” simplifies some of the OAuth 2.0 specifications (e.g. eliminates those that are no longer considered secure, etc). One of the things OAuth 2.1 suggests is using PKCE even for Confidential (Server Side Clients). Here’s what OAuth 2.1 says, " PKCE is required for all OAuth clients using the authorization code flow" I don’t see any mention of PKCE in the Box documentation. Can you tell me if PKCE is being considered for future Box authentication?

Hi - Has there been any change or update to the BOX SFTP? I was able to connect to BOX via SFTP on Thursday, but since Friday I’ve been receiving the error ““Failed: Interactive authentication announced but rejected”. Our login credentials have not changed. I followed the below link to setup the connection.https://urldefense.com/v3/__https://support.box.com/hc/en-us/articles/ [removed by moderator] -Using-Box-with-SFTP__;!!NFWRZ6kECLqu!phiDSBMaKKLIQkISKivtTPZYrj23HEG8wLvWvYQ7EtkrwGihuhmkKAxBQanR5ATwNDCndxzRxby5xEylRR87YSbL$Thank you,Supritha.

Hi everyone, I’m looking to use the Box CLI Scripts to bulk delete Open links in Box in certain folders. I looked at the list of properties you can attach to the string and see nothing that specifies to target Open links, is there a way I can do that or is the script set to delete everything in the folder? Help would be appreciated :)

Hello,I’m facing an issue with Box Sign API: I upload a file via API and create a Sign Request — API responds successfully, but the sign email is not sent. If I upload the same file manually in the same folder and create a Sign Request, the email is sent. Question: How can I make API-uploaded files trigger the sign email automatically, like manually uploaded files?

Hi Box Team,I have a question regarding how API calls are counted towards the license-based rate limit when downloading a file.According to the File Download Guide, when I download a file, the SDK (or my app) first sends:GET https://api.box.com/2.0/files/{file_id}/contentThen Box responds with a 302 redirect, and my client follows it by making:GET https://dl.boxcloud.com/d/1/[long-random-string]/download

Hello,I’m facing an issue with my application that uses Client Credentials Grant. The app has already been authorized by the organization admin.I’m able to authenticate successfully using this request:curl --location 'https://api.box.com/oauth2/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode 'client_id=<CLIENT_ID>' \ --data-urlencode 'client_secret=<CLIENT_SECRET>' \ --data-urlencode 'box_subject_type=enterprise' \ --data-urlencode 'box_subject_id=<ENTERPRISE_ID>'  With the token obtained, I can successfully call the metadata endpoint:curl --location 'https://api.box.com/2.0/files/<FILE_ID>' \ --header 'authorization: Bearer <TOKEN>'  This returns the file information correctly.However, when I try to download the file, I get a

The OAuth "Grant Access" modal/page is not formatting the redirect URL so that it fits in the provided area, even for URLs of reasonable length.  Looks unprofessional. Suggest that the URL be wrapped so that it fits within the allotted space.

HiI have 3 systems that all need to see updates from Box.  Some of these will cross over (Ie Only 1 system needs to know about signatures but all 3 systems need to see updates about new files created)I know I can not create 3 webhooks against the same folder but can I create a folder structure Folder 1 - Folder 2 - Folder 3 and then my structure beneath folder 3 and attach a single webhook to each of the three folders?  Any activity within the lower levels would in theory trigger all 3 webhooks and update to 3 locations?I know I can not create a webhook at Root!Thanks in advance 

I’m running a fairly straight-forward “ask ai question” API call, but it seems to be failing silently and returning a blank.  Using the same agent and prompt on box.com in UI on the same file, I get an answer, but when I call the exact same thing via API I get a blank.  I’m using the older boxsdk in python.  This is what my code looks like:  items = [ { "id": file_id, "type": "file", "content": "This is the document in PDF format" } ] ai_agent = { 'id':'40266263', 'type': 'ai_agent_id' } result = client.send_ai_question( items=items, prompt=prompt, mode="single_item_qa", ai_agent=ai_agent ) And I get this response:{'answer': '[]', 'created_at': '2025-09-12T08:47

Do any one has any experience connecting Business Objects to Box? We are trying to schedule the file transfer from Business Objects to Box and not able to make the successful connection.

We are needing further clarification on which API calls are chargeable in regards to custom apps.It seems like from our testing that below is true :1 : Upload/Download calls are NOT charged2 : Failed calls are NOT chargedWe are looking at developing a new custom app that will replace our current one for provisioning/deprovisioning users on a daily basis as we are a large org and want to do more than just creating/disabling/deleting users like having reports automatically run or updating metadata.Is there a list or document that details which calls are chargeable and which aren’t?Thanks!

Hey allRegarding use of Box’s `expiring_embed` preview a la:https://app.box.com/preview/expiring_embed/[HASH]?[parameterName]=trueWe’re having difficulties with it on mobile devices. Is it supported on mobile?We’re aware that this page: https://developer.box.com/guides/embed/box-embed/, indicates that there are limitations for displaying on mobile, but it does not explicitly mention that it is not supported. Could this be related to something like X-Frame-Options being DENY’d for security? Thank you-Dave

Using the `https://app.box.com/preview/expiring_embed/[HASH]?[parameterName]=true` route a la: https://developer.box.com/guides/embed/box-embed/#finding-your-shared-link-valueIs there a way to disable the header, or at least, hide/change the “Box” icon at the top of the embedded view?   For context, we’re using this method of previewing a Box File through Outsystem’s ODC IFrameFlowReact module Thank you-Dave

Hi All, We are getting the following error while trying to upload documents. Do you know how to fix this issue? Access to XMLHttpRequest at 'https://api.box.com/2.0/files/content' from origin 'https://abc--c.vf.force.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.Understand this errorgatherer.js:1  OPTIONS https://api.box.com/2.0/files/content net::ERR_FAILED 401 (Unauthorized) Thanks, Chitra

Hello,I’m trying to set an expiration date for a collaborator when inviting them to a folder using the POST /collaborations API.As stated in the API reference, I included the expires_at parameter in my request.However, even after adjusting the Enterprise settings, the expiration date I set is always overridden by the Enterprise policy (60 days).  Here is the request body I sent:{ "item": { "type": "folder", "id": "1234567890" }, "accessible_by": { "type": "user", "login": "user@example.com" }, "role": "editor", "expires_at": "2025-12-30T23:59:59+00:00"

Hello, I’m a software developer, and I made the integration of you application to use the box APIs, it was working well until now, I have an example that I can’t find a solution. If I try to upload a file using the original name “H09819620250904163224INNTRANSCAN.CSV” I’m getting the error 400 - Bad Request, but if I just rename the same file to be “Test.CSV” or any other shorter name it works well without any error. I simulated a double call doing the original name, and getting the error 400, and in sequence just renamed the file to Test.CSV and it worked with no error. At all the documentation and posts we have the information that the limit is 255, but the file name that I’m trying to send is 32, so should be all good. Any suggestion ?  Same file, just copy or renamed. 

Hi, Can you add the Manage Legal Holds scope to these two applications?sidfwd19e6n55hbbwtcuvsidwyd9kysntv46fuavh0flj4fd2gjyn2fqq6s3zhmlThanks

I’m trying to transfer files and folders from one Box user to another. The technique is described in this post:developer.box.com/guides/users/deprovision/transfer-folders/#collaboration-transfer-methodThe last step of the process is to remove access for the owner by removing the collaboration:developer.box.com/guides/users/deprovision/transfer-folders/#remove-transfer-from-user-as-ownerHowever, when you use the API to get collaborations of files and folders using the API, the API only returns the collaborations of users other than the current owner.There was a similar post about this issue in:

Using an App+Enterprise JWT (server Auth) Service Account I am unable to interact with other service accounts using the Box API./users - return only users not service accounts/folders/0/items - returns 403 when I am impersonating (As-User) a Service Account userId.The issue is that I am trying to find all files in the organization, and service accounts can hold files/folders under their file tree, but these are unreachable using the API.Is there any way to find service Accounts and read their files using the API?