-
Recently active
Hi everyone, I have a question regarding the application creation process in the Box Developer Console. Previously, as shown in the official documentation, it was possible to select "Limited Access App" when creating a new application.However, in my current console, that option no longer appears. Instead, I am only presented with the following three options under "Platform App":OAuth 2.0 Server Authentication (JWT) Client Credentials GrantMy questions are:1. Has the "Limited Access App" type been deprecated or integrated into these other options?2. If I want to create an app with restricted access (similar to the old Limited Access App), which option should I choose now? I would appreciate any clarification on this change. Thank you!
We occasionally get `401 Unauthorized` with `error="invalid_token"` when calling the Box Content API (e.g., DELETE /2.0/files/<FILE_ID>).This happens about ~2 times per month. Retrying the same operation later often succeeds.We believe the access token itself is not expired at the time of the request:- Access token was obtained at: <UTC timestamp>- Token lifetime: 60 minutes- Request time: <UTC timestamp> (within the lifetime)We also believe we are not using the same token in parallel (single job / single worker).Error response (sanitized):401 Unauthorized{ "request_url": "https://api.box.com/2.0/files/<FILE_ID>", "status_code": 401, "response_header": { "Date": ["Sat, 24 Jan 2026 17:03:05 GMT"], "Www-Authenticate": [ "Bearer realm=\"Service\", error=\"invalid_token\", error_description=\"The access token provided is invalid.\"" ] }}Questions:1) Besides expiration, what are common causes of `invalid_token` on Box APIs?2) Could token refresh / t
[TextContent(type='text', text='{\n "error": "403 The request requires higher privileges than provided by the access token.; Request ID: This is the error I get
I’m trying to use this Nuget package (https://github.com/box/box-windows-sdk-v2/tree/main) to add metadata to files.I followed all the steps in this guide (https://github.com/box/box-windows-sdk-v2/blob/main/docs/Authentication.md#jwt-auth) using the JWT auth method, to set up the platform app, and set up the authentication in the code. I’m using the endpoint described here (https://github.com/box/box-windows-sdk-v2/blob/main/docs/FileMetadata.md#create-metadata-instance-on-file), but when I’m running the code I’m getting an error saying that the file with the Id I’m giving does not exist. I know this is not true because I can get to the same file in the UI, and the Ids match exactly.is there some special permission I need to give the app in order to access my files?
I have a platform app that allows me to use a Java Web Token. I have it working locally on my desk top but it fails with a null pointer exception. (none type object has no attribute encodeIt is failing precisely in line 344 in create_jwt_assertion in box_sdk_gen/internal/utils.py
We are using Box with SSO set to Required and MFA is enforced at our IdP.When trying to view or regenerate a client secret (Client Credentials Grant) or generate a JWT key pair in the Developer Console, Box requires that the user has Box 2-Step Verification enabled.However, when SSO is Required, the Box-native 2-Step Verification setting is not available in the user’s security settings.Questions: Can IdP-side MFA be recognized by Box as satisfying the “2-Step Verification” requirement for Developer Console operations? If not, is it impossible to regenerate client secrets / JWT key pairs in an SSO Required environment without temporarily disabling SSO? Is there an official workaround or supported procedure for this scenario? We want to avoid relaxing SSO policies in production if possible.
When I search up a folder, I get results: The “Leases_Batch_1” is in a subfolder of “Nextpoint - Barings Loan” called “Leases”. When I try to search for the exact same query, one folder down, I get no results.Seems to behave the same using the API setting AncestorFolderIds. Any thoughts or work arounds would be greatly appreciated. If I be this much more specific with my search, I’m far more likely to get an accurate result.Thanks!
I have been attempting to initiate a DocGen process through the API, and am being met with a 403 error indicating insufficient permissions. According to the developer console, ‘Manage Doc Gen’ is checked and enabled. I even forced a token refresh to see if that would make things update. Those efforts have had no effect, and the 403 error is still present. Are there any further steps I can take?The error response in full:{"message":"Insufficient permissions: Document Generation scope not enabled for this OAuth application","status":"error","fileId":null}The app’s service account is the one performing the action, and I have verified that it has access to all of the relevant folders and files the call is attempting to interact with.
We are facing intermittent slowness of downloads and uploads of files to and from box folders. For time period like 6.00 AM to 10.00 AM IST ( 00:30 UTC to 04:30 UTC) we faced slowness multiple times. It does not seem to be related to throttling or rate limiting as no feedback received from the box server side. Download takes very long time and some times timesout. How to troubleshoot this ? How to conclude if it is box side issue or any other dependencies ?
Hey there! My organization uses box to store all our files and such. Locating files new and old can be really difficult on box which has been slowing down efficiency and files are getting lost. I noticed a ton of integrations that are created to help solve this but was curious if anyone has used any and seen success? I am specifically interested in integrations that are secure, low cost or free. Thanks!
I’m currently developing a PHP application that uploads and downloads files to and from a folder in Box. I’ve created a Box App, and it has been approved and enabled by the administrator.However, when I look at the Developer Console, it still appears that the app is not enabled. administrator console : developer console : In fact, when the application attempts to perform JWT authentication, I get the following error:GuzzleHttp\Exception\ClientException: Client error: `POST https://api.box.com/oauth2/token` resulted in a `400 Bad Request` response:{"error":"invalid_grant","error_description":"Please check the 'sub' claim. The 'sub' specified is invalid."} Here is the relevant portion of my code:$json = file_get_contents('KEY_PAIR_FILE.json');$config = json_decode($json);$private_key = $config->boxAppSettings->appAuth->privateKey;$passphrase = $config->boxAppSettings->appAuth->passphrase;$key = openssl_pkey_get_private($private_key, $passphrase);$authenticationUrl = 'ht
After configuring a Box app in my Box Dev console, installed the Box CLI tools and, following the steps in documentation, eventually get to the step where you enter the command:box login -n BoxCLIafter which I’m prompted to enter the client id/secret for my app. After doing so I get the error “signalExit is not a function.” I’ve tried many variations of these steps and rebooted multiple times but always get this same error.
I’m a dev at a video production company. We want to programmatically understand when editors have uploaded new drafts into certain folders in box, but when they use applications like Adobe Media Encoder/Adobe Premiere to render video directly to a folder in Box Drive, Box Drive uploads the file incrementally as it's being written, as it doesn’t understand when the file is fully rendered and ready to be properly uploaded. This triggers multiple FILE.UPLOADED webhooks throughout the render process.For example, when rendering 592.4 MB file, I received 3 FILE.UPLOADED payloads at - 0.09 MB - 184.77 MB - 592.4 MB (render actually complete + fully uploaded)Am I correct that the best workaround for this issue (for assets that generate thumbnails according to https://developer.box.com/guides/representations/thumbnail#supported-file-types) is to:Use the Representations API to check if Box can generate a thumbnail. From my testing, only complete, valid video files produce thumbnails. GET /
For a number of years (and in fact, one of the reasons we started with box), we allowed our students to set an external alias in their box account, and when the student leaves, if they have an external email alias, rather than deleting their account, we “release” it to then.We do this (via the API) by setting their “login” to the external email alias, and then setting “enterprise” to null. Recently, we have been having issues with the process (we only do expires once or twice a year, so it may have been broken for a while). The API call is returning:{ "type": "error", "status": 400, "code": "bad_request", "context_info": { "errors": [ { "reason": "invalid_parameter", "name": "user", "message": "Invalid value 'Box_User [removed by moderator] '." } ] }, "help_url": "http://developers.box.com/docs/#errors", "message": "Bad Request", "request_id": "cnuct6i8l6ythzj9"}I get this error from both my own code (PL/SQL within Oracle) as well as CURL. The calls do not include a “user” parameter at
Hey folks,Im under free developer license, trying to build app, which will access box to upload download files. I cannot use OAuth, since this is part of pipeline flow. And I have to use box, since it’s part of SONY automation portal I’m getting error ‘*BoxOAuthException**: Message: Please check the 'sub' claim. The 'sub' specified is invalid.Status: 400’Is this because my enterprise account = 0? If so, any ways I can use JWT with free licence? Or what tier do I need to carry?
HelloI’m trying to integrate Box into my app for file storage. I think I want JWT Auth as the app will only ever store files in its own Box account. I’m getting a typescript error: Type '{ clientId: string; clientSecret: string; jwtKeyId: string; privateKey: string; privateKeyPassphrase: string; enterpriseId: string; }' is missing the following properties from type 'JwtConfig': tokenStorage, privateKeyDecryptor with the following code: const config = { clientId: BOX_CLIENT_ID, clientSecret: BOX_CLIENT_SECRET, jwtKeyId: '8495cr9l', privateKey: Buffer.from(BOX_PRIVATE_KEY_BASE64, 'base64').toString('ascii'), privateKeyPassphrase: BOX_PASSPHRASE, enterpriseId: BOX_ENTERPRISE_ID,}const jwtAuth = new BoxJwtAuth({config})
If you have been to developer.box.com in the last few minutes, you may notice a lot has changed. We are now live on Mintlify! All the guides and API reference materials you are used to are there. But with Mintlify, the site is built on AI. Thing are now much easier to find, and with the AI Assistant, you don’t even have to find it. Check out all the improvements in this blog.There are more improvements coming, but check it out and let us know what you think!
Hi!I’ve created a custom app using client credentials. After authorizing the app, I noticed that the automation user has a default storage limit of 10 GB.I attempted to increase the storage by first retrieving the user ID via the endpoint “api.box.com/2.0/users/me”, and then sending a PUT request to “api.box.com/2.0/users/{id}”.However, I received a 403 error:error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token."I also verified the app permissions and confirmed that “Manage users” is enabled.Any suggestions on what might be causing this issue?Thanks in advance!
I’m trying to find a way to trigger some automations when a tag is added to a file or folder. I saw this post: and understand there is not currently a webhook event that can do this, but I’m wondering if anyone has figured out a clever workaround? It doesn’t look like there are any Relay events associated with tags either. I see that there is a “TAG_ITEM_CREATE” event type in the Events endpoint: https://developer.box.com/guides/events/, but only by user (i.e., there’s no way to filter enterprise events by that event type)?
When I click 'Run App Diagnostic Report', it gives me an error saying 'Something went wrong. The report did not initiate.'
The API that I use is this :{{BASE_URL}}/enterprise_configurations/{{ENTERPRISE_ID}}?categories=user_settings,securityAnd I always have 404 response. I have made sure the enterprise scope is present in token. Infact I tried to login from my docs using same oauth and receive 404 so is it something that needs to be enabled in account?
Our application was impersonating an account that had viewer uploader permissions on a folder in Box and was able to delete a file thru the API (not Web UI).My understanding was a viewer uploader did not have delete permissions. Is that in the Web UI only?
Hello,I'm running a program that automatically creates folders and shared links using the Box API.After creating a folder, when I execute the shared link creation (PUT /folders/{id}) for the newly created folder,I receive the following error:Status: 404Details: trashedBoth the folder creation and shared link creation are performed by the same user. Also, although the error message says "trashed," the folder is not in the trash and can be viewed normally in the Box Web UI. Therefore, I'm unable to determine why the 404 error is occurring and am stuck. If anyone has experienced a similar problem or knows a solution, I would appreciate your guidance. Thank you in advance.
Hello!I need assistance with enabling my account as a free developer account so I can authorize apps and continue developing. However, I keep seeing the message, "Log in or sign up for a Box Developer account to access all of the Developer Console features," even though I am already logged in.If anyone knows what might be happening or how to resolve this, I would really appreciate your help.
Hi All,We are a Box enterprise customer having developer licence and are currently working on a integration project involving our developer account and the Box REST API. Specifically, we are building api to perform CRUD operations on the Box User object.We need to utilize the User Tracking Codes functionality to accurately tag our users upon creation. the issue is: The User Tracking Codes section is currently not visible in our Box Admin Console under Enterprise Settings > User Settings. Attempts to create a user via the API using the tracking_codes parameter result in a 400 Bad Request error, which is expected if the feature is not active. Question: Please help use to enable the tracking_codes feature for the our account.
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.