All conversations in the Archive Forum are read only. For active conversations, please visit our All Forums page to post a topic or response.

Box Employee

FAQ: Box Platform and APIs

Here is a list of frequently asked questions: 


        1. How do I get a list of all of a user's files and folders?
          There is currently no API that would directly give you all the files or folders belonging to a user in one API call. But you can get all files and folders belonging to a user in multiple API calls.

          You would need to recursively call the Get Folder's Item API to get this data. The process would be:

          1. Call Get Folder's Items to get a user's root folders and files by specifying folder id = 0.
          2. For all folders returned from step 1, call the Get Folder's Items API for each of them.
          3. Repeat this process of calling the Get Folder's Items API until you returned no more subfolders.

        2. What is the As-User header? How do I get access to use this header as a developer?
          The As-User header lets an admin perform any action on behalf of a user via the API. Anything an individual user can do in their own account can now be done by the admin. Please file a support ticket to enable this for your application.

        3. What authentication scheme should I use for my app?
          The OAuth process is designed to be used with Standard Box Users (Managed Users) to access Enterprise Content. The JWT auth process is designed to be used with App Users.

        4. How do I automate the generation of OAuth tokens or run a server-side solution?
          Currently, there is not a way to automate the generation of OAuth tokens, as we do require that the user explicitly grants permission through the web application, but once a set of tokens is generated, they can be kept alive indefinitely through the process outlined below.

          First, you would need to go through OAuth2. Once finished, you are granted with an access token and a refresh token.

          • The access token is valid for around an hour.
          • The refresh token is valid for a single refresh in a 60 day period.

          Once you go through the OAuth2 process above, generating the code, you should no longer have to go through that process again, as long as you keep track of your latest refresh token. After generating it once, you can make a POST call to
 using the following parameters:

          • grant_type = refresh_token
          • refresh_token = (your latest refresh token)
          • client_id = (your client id from the app)
          • client_secret = (your client secret from the app)

          This will generate a new access/refresh token pair. The old ones are invalidated, and can no longer be used. Since the refresh call can be made without user interaction, it allows for a programmatic way to refresh your tokens and keep them alive for continued use without having to log in to the web application.

          You can read more about this process in the following Box Developer Community forum thread:

        5. When should I use the developer token?
          The Box developer token is designed for testing purposes, and is not intended for use in production applications.

        6. What are the rate limits around the API?
          There are two limits. The first is a limit of 10 API calls per second per user. The second limit is 4 uploads per second per user.

        7. Can I multi-thread requests?
          Yes, you can make parallel requests as long as you are operating under the rate limits described above. 

        8. How does token expiration work?
          A token is valid for one hour, unless a new token is requested and used. If a new token is requested but not used, the old token is still valid (assuming it less than one hour old). If a new token is requested and used, the old token will be invalidate. 

        9. How do I submit an issue about the Box Content Preview UI Element? 
          Please submit an issue through the Box Content Preview UI Element GitHub repo.
Tags (1)
Box Employee

Re: FAQ: Box Platform and APIs

Regarding #6 above, the limits are no longer fully correct. Please refer to this page on the developer docs for accurate rate limit information.