Skip to main content
Question

Application access to the user's content

  • May 22, 2025
  • 3 replies
  • 60 views
C
Forum|alt.badge.img

Hi,

I work on investigation of Box API integration. As far as I know there are several ways to work with it.

I would like to get more details for some of them:

  • granting user’s permission to the application through UI (using OAuth 2.0) to access user’s Box content;
  • server side set up that allows to configure application.

Could you, please, inform me about next:

    1. Wether the application will be able to access users content after access token is expired (having granted permission)?
    2. Does user has to grant permission to the application every time the application work with user’s account content?

Unfortunately, I wasn’t able to find anything in the documentation related to how should user grant the permission for the application that has been set up / configured server side. Could you, please, provide me with some information?

 

Thanks in advance

    3 replies

    C
    Forum|alt.badge.img

    Hi Ruslan

    For three legged OAuth 2 apps where the user explicitly grants permissions to the app you will receive an access token and refresh token. The access token is valid for 60 minutes and the refresh token for 60 days. Each time you use the refresh token to get a new access token you will also get a new refresh token so the user will not have to re-authorise until you need a new refresh token (assuming you store the tokens locally)
    For more info: https://developer.box.com/guides/authentication/tokens/refresh/

    For a server side (JWT or Client Credentials Grant), the admin of the Box instance will have to approve the app but after this you can access content without the individual users explicit permission. By default the server side application will authenticate as a service account. To allow the app to interact with the content of specific users you can either: 

    1. Add the service account as a collaborator on the content. https://developer.box.com/reference/post-collaborations/. You can get the login name of the service account from the 'General Settings->Service account info' in the developer console for your app

    2. Use the 'As-User' header to impersonate the user. See https://developer.box.com/guides/authentication/jwt/as-user/ 

    3. Generate a token for the user and use this in API calls. See https://developer.box.com/guides/authentication/jwt/user-access-tokens/

    Hope this helps

    Best regards

    Peter Christensen, Platform Solutions Engineer, Box

    C
    Forum|alt.badge.img

    Hi, Peter Christensen

    Thanks for your reply!

    That’s what I understood from your answer, correct me if I am wrong.

    1. I’ve created server application as admin and can’t get any access to the user box content. The one and only way to share data is add the service account as a collaborator to get access to the user’s box content from the server (using NodeJs SDK) that is connected to the application.
    2. There is no way for user to share box content to the application, except inviting someone to group or adding as collaborator.

    I’ve faced with next problem: I’ve connected a created application to the SDK and API worked correctly, but I can’t find the way how to get access to the user’s box storage where my application would be able to perform reading/writing operations.

    Thanks in advance!

    Best regards

    C
    Forum|alt.badge.img

    Hi Ruslan

    1. Yes, if you have an application with a service account, then the only ways to get access are the ones I outlined: Add as collaborator, use As-User header or use User Token

    2. Correct

    Normally you would be expected to add the service account as a collaborator via the API. If you want to add the service as a collaborator via the UI, you need to copy the service account login details from the developer console app details and paste into the share dialog. 

    Rgds,

    Peter

    Terms of ServiceAccessibility statement