Skip to main content
Question

Box API help

  • May 22, 2025
  • 5 replies
  • 26 views
C
Forum|alt.badge.img

Hi,

I've been trying to start creating a pipeline for managing files and folders in Box using the Box API. I am having some problems.

I have done the following....

- Created an App based on OAuth 2.0 (user or client authentication)

- Setup a redirect uri for the App based on my company's Box homepage:
https://XXX.XXX.box.com/auth/callback

- Copied the client id / client secret and used the App's client id / client secret to generate a Bearer token using:
curl -i -X POST "https://api.box.com/oauth2/token" -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=XXXXXXX" -d "client_secret=XXXXX" -d "grant_type=client_credentials"

- Copied the Bearer token generated and then used the Bearer token in API calls:
curl -i -X GET "https://api.box.com/2.0/events" -H "Authorization: Bearer ZZZZZZZZZ"

However now I get errors:
{"type":"error","status":400,"code":"bad_request","context_info":{"errors":[{"reason":"invalid_parameter","name":"user","message":"Invalid value 'Box_Anonymous_User 2'."}]},"help_url":"http:\/\/developers.box.com\/docs\/#errors","message":"Bad Request","request_id":"lsnrcsgq24dqcxgu"}

Any idea what I am doing incorrectly?
Is my App maybe setup incorrectly?

If there is a blog or guide to setting up API pipelines with the Box API please feel free to share them :-)

Any help most appreciated!
Thanks, Nick

    5 replies

    C
    Forum|alt.badge.img

    Hey Nick, 

    If I've understood correctly, you've currently selected OAuth2 (user authentication) as your authentication type. This will require end-user interaction via the browser, which it sounds like may not be best for your use case. Later on in your post it looks like you're trying to use client credentials grant to authenticate using a client ID and client secret but that requires selecting OAuth2 with Client Credentials Grant (Server Authentication) as the authentication method. If that is the case and you want to proceed with using client credentials grant, take a look at the cURL example on the page I linked. It's important to note that by default, you'll authenticate as the application Service Account and not your own user. 

    Hope this helps get you on the right track! 

    Best,

    Kourtney, Box Developer Advocate

    C
    Forum|alt.badge.img

    Hi,

    I agree that my original App was created with the wrong "Authentication method".
    So I have created a new App with an "Authentication method" of "OAuth 2.0 with client credentials grant (server authentication)".
    And using the client_id / client_secret and the "enterprise type" / Enterprise ID from that App I used the API call below:
    curl --location --request POST 'https://api.box.com/oauth2/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=XXXXXXX' --data-urlencode 'client_secret=ZZZZZZZZZ' --data-urlencode 'grant_type=client_credentials' --data-urlencode 'box_subject_type=enterprise' --data-urlencode 'box_subject_id=111111'

    Unfortunately this fails:
    {"error":"invalid_grant","error_description":"Grant credentials are invalid"}

    What do I continue to do incorrectly?
    Thanks, Nick

    C
    Forum|alt.badge.img

    Forgive me if I should be starting a separate thread, but I am having similar difficulties.  

    I am able to successfully request and received an access token.  However, when I try to use that token (as bearer token) to create a collaboration, the request fails "not found".  

    I have tested the api call using a dev token and it works no problem.  Which leads me to believe I am making a mistake requesting the access token. 

    My Box app is configured as Authentication method" of "OAuth 2.0 with client credentials grant (server authentication)" and my api call has:

    Content-Type: application/json in the header

    and request body: {
    "box_subject_id":"######",
    "box_subject_type":"enterprise",
    "client_id":"XXXXX",
    "client_secret":"XXXXX",
    "grant_type":"client_credentials"

    Where am I making a mistake: a) in requesting the access token or b) in using the access token?  

    Thanks in advance, 

    Andrew

    C
    Forum|alt.badge.img

    Update:

    I seem to have solved my problem by adding the Service Account as a collaborator to the target folder.  

    Now my API calls work exactly as expected.  

    Thanks

    C
    Forum|alt.badge.img

    Update: my issues were around my App not being authorized as needed. The admin of my Enterprise decided not to authorize it. I have created my own personal account with box.com and authorized my own App so I am now able to generate bearer tokens as per Kourtney's guidance. Thanks.

    Terms of ServiceAccessibility statement