OAuth Confusion and POSTMAN

New post



  • Bibek

    Hi there,

    First step of OAuth2 process is to obtain "authorization_code" after user authenticates from the browser which you cannot do from POSTMAN (as far as I know). POSTMAN is used to obtain access tokens when you complete the first step in browser. However, you do not need to have published web application to do tha. You could use "localhost" or even better your box url. " .app.box.com" as a redirect URL. Both URLs must match in order for this to work. 

    • First step is to use this request in a browser
    • use "localhost" or ".app.box.com"  in the redirect URL
    • If the config is correct, it should present you the login screen . provide uname and password
    • as soon as you authorize the application, it will redirect to the redirect URL appended with the "code" at the end of the URL.  e.g. 
    • Now you have 30 seconds to use that AUTHORIZATION CODE to use in POSTMAN  to do the following request:
      curl https://api.box.com/oauth2/token \
      -d 'grant_type=authorization_code&code=YOUR_AUTH_CODE&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET' \
      -X POST
    • YOUR_AUTH_CODE is the auth code that is appended in the URL in previous step
    • Now  that will get you the Access Token and Refresh token . 
    • And since Access token last 1 hour you should get new one with a new call  . this time grant_type will be REFRESH_TOKEN.  Last time it was authorization_code.
      curl https://api.box.com/oauth2/token \ -d 'grant_type=refresh_token&refresh_token={valid refresh token}&client_id={your_client_id}&client_secret={your_client_secret}' \ -X POST
    • Now the process is same with the code as well. Same way you impelement in POSTMAN

    Please see this link for more details:

    OAuth2 Detail


    I hope this helps.




    Comment actions Permalink
  • Murtza

    Here is the video showing how to use Postman with Box's OAuth process.


    Comment actions Permalink
  • DimitrisT

    I keep getting error 400 in the second part (the Postman POST to get the token and the refresh) - 

    This is my POST:


    Any pointers, please?


    Thank you


    Comment actions Permalink

Please sign in to leave a comment.