API

Current State:The downscoped token used for this has the permission for “base_explorer item_delete item_download item_upload item_preview” The app that’s being used has Co-Owner permission as well.  The Content Explorer renders based on the following settings:  We had a response Interceptor to the Box Content Explorer, but even after removing that and using OOB Box Content Explorer functionality, the download doesn’t work. I would only get something if I were to manually copy paste the download link from the response to a browser:   The download doesn’t work, neither does Preview I’ve been following the documentation provided here: https://developer.box.com/docs/box-content-explorer I believe something is wrong here and need your assistance. What needs to happen for the download to work?

I was having the same problem as the following thread:When i try to generate a token by API with the box_subject_type: user, i get this messege: I noticed that i dont have access to an Admin account, but I intent on using the api to upload files to my personal box. Do I have to publish my app before hand? But its to much of a trouble for a simple use. 

Hi,I was looking for a way to delete a user using this method : curl -i -X DELETE "https://api.box.com/2.0/users/$userID?force=true" -H "authorization: Bearer $mytoken"HTTP/1.1 404 Not Founddate: Fri, 13 Jun 2025 10:20:28 GMTcontent-type: application/jsonx-envoy-upstream-service-time: 110box-request-id: 084aa24f457de6630b1c1719f0ffcea0ecache-control: no-cache, no-storestrict-transport-security: max-age=31536000Transfer-Encoding: chunked{"type":"error","status":404,"code":"not_found","help_url":"http:\/\/developers.box.com\/docs\/#errors","message":"Not Found","request_id":"9qmpq2i2dviyjv95"}I have replaced personal data $userID and $mytokenA GET request is working properly.Many thanks

I’ve created the platform app, to list files in the folder shared with me. This app has a “Client Credentials Grant” authentication This app has “Make calls using as-user header” permissionIn my account ( which is an enterprise admin) I have two folders: “XXX” and “My Box Notes”.When I list my root folder using https://api.box.com/2.0/folders/0/items I can only see “My Box Notes”. What should I do to see the “XXX” folder which was shared with me?

Hi there,I'm trying to understand whether it's possible to use the Box API with a free account. I’ve successfully created an application, but it seems like it remains unapproved indefinitely.From what I can tell, without this approval, the API doesn't function properly. Could someone clarify whether free accounts can gain approval for apps or if API access is restricted to paid plans?Thanks in advance for your help!Best regards,  

Hi,I have created an application (2392115) to read the files from a program. It is in status “Pending Authorization”. How long it takes to get approved?  Thanks. 

If I have created an app with client_credentials grant, what happens if the user account with which the app was created gets deleted/removed. Will the app still function? https://support.box.com/hc/en-us/community/posts/360049153294-What-happens-to-custom-apps-created-by-a-user-when-that-user-s-account-is-removed-Above post suggests that the app will be orphaned, and once the collaborator is added to the app, it will function. But my query is mostly related to client_credentials grant app, as I’m using the app creds with box_subject_type as user and box_subject_id as user_id of the user who created the app. If the user gets deleted, will I get invalid grant_credentials error? And can I still use the app with other user’s user_id?

Hi, I’m trying to create an application which will read the content of a box folder, shared with me, on schedule.OAuth client_credentials grant type fit my needs well. I’ve created a platform app with authentication using “Client Credentials Grant” to test the authentication. I’ve tried to obtain the token using the following bash script (it uses httpie) having CLIENT_ID, CLIENT_SECRET, USER_ID set to the appropriate values:CLIENT_ID="client_id"CLIENT_SECRET="client_secret"USER_ID="user_id"http --print=hHbB --form POST https://api.box.com/oauth2/token \ box_subject_type=user \ box_subject_id=${USER_ID} \ client_id="${CLIENT_ID}" \ client_secret="${CLIENT_SECRET}" \ scope="root_readonly" \ grant_type=client_credentialsand I keep getting the following error:HTTP/1.1 400 Bad RequestAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Transfer-Encoding: chunkedcache-control: no-storecontent-type: application/jsondate: Thu, 12 Jun 2025 11:36:01 GMTset-cookie: box_visitor_id=684abba132c8c2

Hello we need to temporarily raise our rate limit so we can bulk create and permission box folders to onboard a large new customer

I have a list of users for whom I need to change status from Active to Inactive. Is there any way to do this in bulk?

Hi,In CCG model , what is the minimum requirement should business plant be sufficient or should I get a Enterprise plan for App+Enterprise Access.Also, may I know the client secret expiry duration.

I am creating a workflow from our website. I have set up the necessary Developer tokens and IDs and submitted for authorisation but it has been over a day and no response. I am unable to move forward with the integration without the authorisation.Any assistance would be much appreciated. This is the message I am getting from my account! 

Problem StatementThe /events API, when used with the stream_type parameter set to admin_logs or admin_logs_streaming, returns limited metadata in the source field — typically including only basic attributes like id, name, parent, and owned_by.However, when the same endpoint is used without explicitly setting the stream_type parameter (which defaults to all), the source field includes significantly more detailed information. This includes attributes like path_collection, file_version, timestamps (created_at, modified_at, etc.), and ownership metadata. Proposed Enhancement We request that the /events API be enhanced to return a more complete source object structure across all stream_type values — especially for admin_logs and admin_logs_streaming. Alternative Suggestion If a uniform response structure cannot be guaranteed across all stream types, we propose introducing an optional API query parameter that allows clients to explicitly request extended metadata in the response (e.g., field

Hi, I hope I'm not asking what I've already asked in another post, but I couldn't find it.I'm a bit lost regarding the best option for implementing automatic access to the Box API from a backend program (I only want to download a file every so often).Since it will be automated, I also need the token generation to be automated (if applicable), but using OAuth2.0 makes things more complicated because the refresh_token is dynamic, the auth code to generate it is also dynamic, and I haven't found a way to generate each one through code or CURLs.I have a way to store client_id, secret_id because they don't change, but I can't save dynamic values, I would need to generate them all in session, at the moment.For the account I want to implement it is enterprise.Thanks

Hi there! I am using Box.Sdk.Get and getting timeouts of 100 seconds on the client.Upload.UploadFileAsync. How do I increase the timeout value?  Thank you!

I’ve integrated the Box Java SDK (v4.11.1) into my Spring Boot application:<dependency> <groupId>com.box</groupId> <artifactId>box-java-sdk</artifactId> <version>4.11.1</version> </dependency> All required configuration properties (OAuth2 credentials, PEM key, client ID/secret, etc.) have been supplied, but the application fails to start with the following exception:… 33 common frames omitted Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.box.sdk.BoxAPIConnection]: Factory method ‘boxAPIConnection’ threw exception; nested exception is java.lang.NullPointerException: Cannot invoke “org.bouncycastle.openssl.PEMKeyPair.getPrivateKeyInfo()” because “keyPair” is null at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653) … 47 c

Hi,We’re under the business subscription.Via the Web UI, we have the option to ask a question or summarize a file using AI.Trying to use the ask API (/ai/ask) via postman, I get back status: 403, code: insufficient_scope and message: The request requires higher privileges than provided by the access token.In the scopes (Scopes - Box Developer Documentation), there is a scope for AI APIs, ai.readwrite, though in my box integration setup it is not listed as an option to be added to the app scope being used. For a test, even after enabling all scopes, its the same.If I try to add this scope via the postman scope config options (see screenshot below), and regenerate the Access Token, than get “Authentication failed” with “Error: invalid_scope”, probably as it does not correlated with the scopes for the app integration (client_id and secret) being used.Any idea how this scope can be added? Is that maybe restricted for the business subscription? If so, what is the min subscription needed for

Question came up on our roundtable with Federal Contractors yesterday.  

The file is still not uploading via the API. The response returned was '401 Unauthorized'.It worked fine approximately 2 hours ago. 

Hi team, Is there any API supported by box to get historical user details (deleted users, any updates done in users details). I’m currently using List Enterprise User endpoint, which gives me list of all the users present at the moment, but I need historical users details.The API I’m currently using is: https://developer.box.com/reference/get-users/ 

hellois there a way round the 1 hour developer token?I am just trying to batch download files as a one off but keep hitting the 1 hour limit CheersLuke

I have created an application of JWT type in Box Developer console. But i dont see any option to approve/enable the application.My role is admin appearntly but i am still not allowed to approve it. I was invited to join the Box by another user.

Before signing up for a business account, I would like to verify the behavior of Box API features—particularly user creation/deletion and folder creation/deletion. Is there any way to do this?

I am currently working on a use case that involves retrieving and analysing documents stored in Box using Watson Discovery. The objective is to enable a conversational chatbot that can extract and provide specific information from these documents based on user queries. To achieve this, Watson Discovery needs to successfully crawl, index, and process the content stored in Box.While I have successfully authenticated and connected my Box account with Watson Discovery, I am encountering the following error:"There was an error in creating your source crawl: the source configuration for this collection defines no content to crawl."Despite ensuring that all necessary permissions have been granted in the Box Developer Console and verifying that the Box folder contains multiple documents, Watson Discovery is not retrieving any content.When i asked few of my colleagues they told to contact box support because related issues was solved through box support.. but i am unable to find any related blo

Have created folder with Fil Request collection ‘webpage’ that include some meta data fields.  Want to use this so clients can upload documents securely via link on email autosignature per user. Trying to create Box flow (or using power automate) to send email notification to user when new file is uploaded, but want to include more info than what the generic notification sends.Something like:A new file, {{File Name}}, was uploaded to {{Folder Name}} by {{name}}.Uploaded by: {{Uploader Email}} (if available)Comment: {{Metadata: Comments}} but can’t get this to work with the variable entries as I currently built them (ie {{File Name}}. Does anyone know the formatting Box requires?