Box UI Kit vs generated Expiring Embed Url
I need parts of both of these features, but unfortunately, I can only have one or the other. The problem with embed urls is that they are designed for use within an iframe and I need access to events and css in the document viewer to integrate into our current app, which used the non-iframed version of legacy crocodoc. The Box UI Kit seems like it would be a good alternative, similar to how we used the legacy Crocodoc "DocViewer.js" in the past, but, it doesn't seem to support the "expiring" functionality of the embed link for security and it also seems to have trouble actually displaying any documents from enterprise integration apps, even when it receives successful responses from its own API to retrieve the document.
Thanks for your question!
The UI kit uses access tokens to fetch content from Box, so in order for the preview to load, the token must be valid. Most of our tokens today expire within 60 minutes. Please refer to the "Token Exchange" portion of this document that explains how you can generate downscoped tokens. Once you have generated a downscoped token, you can pass that to the UI kits which should provide the same level of security and access that the expiring embed does.
I'm already generating a token on the server side, through the Python SDK in this case. I generate a token and pass it, as well as the file GUID, to the client. The client then makes the request to obtain a viewer through the Box Preview JS client. My original process was to create an embed url link on the server side and pass that to the client. Unfortunately this has severe limitations since it must be used in an iframe. Is the token generated from my server side Box Session not useable for the client side viewer?
What's odd is that, even though the viewer displays a message "We're sorry the preview didn't load. Please refresh the page", there is a download link just below this text, and that link works fine - it is only the preview that is breaking. The JSON response to the viewer request for the document is also successful.
That does sound odd. Would you mind submitting a case so we can help you investigate this?