Skip to main content
Question

.NET SDK -- Where is my refresh token?

  • May 22, 2025
  • 5 replies
  • 57 views
C
Forum|alt.badge.img

I keep reading that I am responsible for retrieving and saving a Refresh Token.  And then I read in some posts that the SDK handles that behind the scenes.  So, I'm confused.

 

Here's what I'm using to test uploading files:

public BoxClient CreateAccessClient(string tokenFilePath)
{
    BoxClient result = null;

    // Open a stream to read and dispose of the automatically created Box configuration file.
    using (FileStream fs = new FileStream(tokenFilePath, FileMode.Open, FileAccess.Read))
    {
        // Initialize the SDK with the Box configuration file and create a client that uses the Service Account.
        var session = new BoxJWTAuth(BoxConfig.CreateFromJsonFile(fs));
        result = session.AdminClient(session.AdminToken());
    }

    return result;
}

I'm using the JSON file I downloaded when I created my App.  I understand I'm using my App's Service Account (on a Developer's account) for access and this appears to be working OK for uploading and getting shared links.  But, I'm not seeing a Refresh Token.  In looking at the debug information for the client I create above, I see a RefreshToken variable in BoxClient.Auth.Session.RefreshToken, but it's null.  And I do see my access token has a lifetime of 60 minutes.

 

Do I assume correctly that in 60 days from the time I created my App account, I won't be able to connect anymore?  If so, what do I need to change.  Thanks!

    5 replies

    C
    Forum|alt.badge.img

     Since you are authenticating with JWT, not getting a refresh token is expected. I'll explain in more detail below. 

     

    We have two main authentication types: OAuth2 and JWT 

    • With OAuth2, when you request a new API token you get an access token that expires in 60 minutes and a refresh token that expires in 60 days. The refresh token can only be used once to get a new access token, and when you use the refresh token our API will send back a new refresh token.
    • With JWT, there is no refresh token to manage. You use your existing JWT credentials to get a new access token. This gives your application persistent access to the Box enterprise that authorized your application. 

    Please let me know if that answers your question? 

    C
    Forum|alt.badge.img

    That sounds like what I wanted to hear.  Thanks!

    C
    Forum|alt.badge.img

    Hi

     

    I created a JWT using the Developer dashboard for my Box enterprise application.  Are you saying, that my client application can use this JWT forever to call my Box application?  There is no need to ever generate a new JWT and then update my client application use it?

     

    Chuck

     

    C
    Forum|alt.badge.img

     Your application's JWT credentials (client id, client secret, enterprise id, public/private key pair) do not expire. However, the access token that you generate with your JWT credentials expires after one hour.

    C
    Forum|alt.badge.img

    So do I refresh the access token, our just reauthenticate? If refresh, how do I do that?

    Terms of ServiceAccessibility statement