Hi ! 

Great find on seeing those other pages. You're on the right track - Authentication with JWT is the recommended way to go if you don't want users to have to interact with the browser in Standard OAuth2.

I wrote up a more detailed explanation in another post here:

https://community.box.com/t5/Box-Developer-Forum/Simple-use-case/m-p/45256#M3276

And here's the bit thats more relevant to how Box controls "granting access" to applications.

On Box, there always has to be some sort of authorization for an app to act on a user's account. If there is user interaction (Standard Authentication), the user explicitly grants access. If there's not user interaction, the administrator of the user's enterprise must authorize the application via their admin console, which then allows access to that enterprise's users. That's Server Authentication, which is described more in detail here:

https://developer.box.com/v2.0/docs/authentication-with-jwt

And you can see more of a comparison between the two here:

https://developer.box.com/v2.0/docs/authentication

And of course in order to get at the uploads/downloads, you have to have an access token first, which is where the different processes for "granting access" come in. Hope that helps!

Thanks,

Jason

Thank you  for the detail explanation! Greatly appreciate it! This seems to make sense and clear up my confusion!