Hi, I’m trying to create an application which will read the content of a box folder, shared with me, on schedule.
OAuth client_credentials grant type fit my needs well. I’ve created a platform app with authentication using “Client Credentials Grant” to test the authentication.
I’ve tried to obtain the token using the following bash script (it uses httpie) having CLIENT_ID, CLIENT_SECRET, USER_ID set to the appropriate values:
CLIENT_ID="client_id"
CLIENT_SECRET="client_secret"
USER_ID="user_id"
http --print=hHbB --form POST https://api.box.com/oauth2/token \
box_subject_type=user \
box_subject_id=${USER_ID} \
client_id="${CLIENT_ID}" \
client_secret="${CLIENT_SECRET}" \
scope="root_readonly" \
grant_type=client_credentials
and I keep getting the following error:
HTTP/1.1 400 Bad Request
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Transfer-Encoding: chunked
cache-control: no-store
content-type: application/json
date: Thu, 12 Jun 2025 11:36:01 GMT
set-cookie: box_visitor_id=684abba132c8c2.64425943; expires=Fri, 12 Jun 2026 11:36:01 GMT; Max-Age=31536000; path=/; domain=.box.com; secure; SameSite=None, bv=DISC-8908; expires=Thu, 19 Jun 2025 11:36:01 GMT; Max-Age=604800; path=/; do
main=.app.box.com; secure, cn=21; expires=Fri, 12 Jun 2026 11:36:01 GMT; Max-Age=31536000; path=/; domain=.app.box.com; secure, site_preference=desktop; path=/; domain=.box.com; secure
strict-transport-security: max-age=31536000
via: 1.1 google
{
"error": "invalid_grant",
"error_description": "Grant credentials are invalid"
}
Pages which I’ve already read:
- https://developer.box.com/guides/authentication/client-credentials/
- https://developer.box.com/reference/post-oauth2-token
- https://app.box.com/developers/console/app/2397407/configuration
- https://developer.box.com/guides/api-calls/permissions-and-errors/scopes/#read-all-files-and-folders
My account type is Individual, and I don’t have enterprise_id to provide.
If that is the issue, would buying the Enterprise box plan solve my auth issues?