Skip to main content

We want to make you aware of a recent effort by certain third-party bad actors to leverage free Box developer accounts in a social engineering attack on certain Box free individual accounts. Upon discovery of this issue, Box decided to temporarily disable new sign-ups for free developer accounts while we work to implement additional technical controls to prevent similar efforts in the future. The security and integrity of our Service is of utmost priority to Box, and we must ensure that we are providing the most secure product experience to our customers.



We understand that some Enterprise customers use these free developer accounts for their own business purposes, and that they may have questions about their inability to sign-up new free accounts. Please use the following talking points when addressing these Customers’ questions or concerns:





  1. Any free developer accounts that were in place before March 9, 2023 are unaffected by this action;


  2. Customers may continue to use these pre-existing accounts, in particular they may continue to invite new/additional collaborators within their organization to work within those existing developer accounts;


  3. Enterprise customers always have the ability to start a sandbox environment for non-production development purposes.


  4. No timeline for turning the console on, but we are working through making the process more secure.




As updates become available, we will share those more broadly with account teams and any customers who have questions about this issue. In the meantime, please reach out to box-notifications-team@box.com with additional questions or concerns.

What does this mean?



If your current developer account has both access to the administrator console and the developer console, you’re golden, keep working.



If you are working for a Box enterprise customer they can request a sandbox, which is an isolated Box environment, to proceed with your coding.



For details about the sandbox, take a look at this support note.



If you do not have access to a Box enterprise account, you can still use the free account but you will be limited to OAuth2 authentication applications. Of Course you can always generate a developer token.



For most use cases, this will be sufficient, and you’ll be able to work with most of the API endpoints, that deal with:





  • Read and write files


  • Manage users and groups


  • Manage webhooks


  • Make API calls with the as-user header



What are the steps?



Create a Box free individual account, no credit card required.





Complete the registration process



Make sure you are logged in, and at this point you won’t see the developer console on your browser.





Navigate to Box | Login, and you now have access to the developer console.





Create an application, and select “custom app”.





Click next, and then select “User Authentication (OAuth 2.0)”





Click next, scroll down to Redirect URI’s and add your callback URI.





Scroll down to Applications scopes and select what you need.





Save the changes.



If you go back to your account, you will now see the developer console menu icon.





You’re done!


Enterprise ID = 0 issue



I have found Spencer Easton’s Service Account solution for Google Cloud on JWT authentication while building a script for downloading media items from Google Photos to Box. After 7 hours of non-stop trial and error, it worked. (God sent GPT)





Then I hit another wall.





Then I came here.


This time I learned Box had closed down new developer accounts.



I have also tried the developer token and established the connection at least. But that will be temporary.



I have been using Box for 10 years but recently I decided to develop solutions on it. I was a Box advocate for many years and promoted it to hundreds of people. So Box was calling me for Beta tests always.



I am planning to promote more Box integrations and company-wide usage for my organizations and clients. It would be great to hear your thoughts, guys. Since the issue was open for nearly 9 months, I reckon.


Hi @demironmanx , welcome to the forum.



As I mentioned in our private conversation, the free developer accounts are going to be back soon. In fact I’m happy to report to the community that a lot of progress has been made and this issue is not at all forgotten.



I’m not even sure what stack (python, java, c#, node) you’re using. However I did create a mini python app that you can run and it collects the OAuth 2.0 tokens. You could then grab these and temporarily use them on your app, even if server side.



I wonder if this would alleviate your issue.



Let us know


Good to hear from you @rbarbosa, thank you for guiding me.



When the developer accounts are back, we can switch to JWT since we were not planning to show up in the app gallery.



Let me convert your Python app to Google Apps Script. I had stepped back when I saw OAuth 2.0 was requesting app submission to the gallery. We can go with it until the issue is resolved completely.



Best regards


The free developer accounts are back.




Is there any sample to refer for nodejs based script leveraging Oauth 2.0 based authentication and upload files as well?


Hi @boyoboy18



This is a very old topic, please open a new one with your question


Reply