Box API help

New post



  • Kourtney

    Hey Nick, 

    If I've understood correctly, you've currently selected OAuth2 (user authentication) as your authentication type. This will require end-user interaction via the browser, which it sounds like may not be best for your use case. Later on in your post it looks like you're trying to use client credentials grant to authenticate using a client ID and client secret but that requires selecting OAuth2 with Client Credentials Grant (Server Authentication) as the authentication method. If that is the case and you want to proceed with using client credentials grant, take a look at the cURL example on the page I linked. It's important to note that by default, you'll authenticate as the application Service Account and not your own user. 

    Hope this helps get you on the right track! 


    Kourtney, Box Developer Advocate

    Comment actions Permalink


    I agree that my original App was created with the wrong "Authentication method".
    So I have created a new App with an "Authentication method" of "OAuth 2.0 with client credentials grant (server authentication)".
    And using the client_id / client_secret and the "enterprise type" / Enterprise ID from that App I used the API call below:
    curl --location --request POST '' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=XXXXXXX' --data-urlencode 'client_secret=ZZZZZZZZZ' --data-urlencode 'grant_type=client_credentials' --data-urlencode 'box_subject_type=enterprise' --data-urlencode 'box_subject_id=111111'

    Unfortunately this fails:
    {"error":"invalid_grant","error_description":"Grant credentials are invalid"}

    What do I continue to do incorrectly?
    Thanks, Nick

    Comment actions Permalink
  • Andrew Behrend

    Forgive me if I should be starting a separate thread, but I am having similar difficulties.  

    I am able to successfully request and received an access token.  However, when I try to use that token (as bearer token) to create a collaboration, the request fails "not found".  

    I have tested the api call using a dev token and it works no problem.  Which leads me to believe I am making a mistake requesting the access token. 

    My Box app is configured as Authentication method" of "OAuth 2.0 with client credentials grant (server authentication)" and my api call has:

    Content-Type: application/json in the header

    and request body: {

    Where am I making a mistake: a) in requesting the access token or b) in using the access token?  

    Thanks in advance, 


    Comment actions Permalink
  • Andrew Behrend


    I seem to have solved my problem by adding the Service Account as a collaborator to the target folder.  

    Now my API calls work exactly as expected.  


    Comment actions Permalink

    Update: my issues were around my App not being authorized as needed. The admin of my Enterprise decided not to authorize it. I have created my own personal account with and authorized my own App so I am now able to generate bearer tokens as per Kourtney's guidance. Thanks.

    Comment actions Permalink

Please sign in to leave a comment.