Client Credentials Grant

We are excited to announce a new server authentication method: Client Credentials Grant. Prior to today, we required a public/private key pair and assertion to verify an application’s identity and retrieve an Access Token. Now, with this open standard, you can request a token using only your client ID and client secret!

This authentication method is only available to new applications using the Custom Application app type and will not impact any existing applications. In addition, when you select your authentication method, you will now be unable to switch to another without creating a brand new application. To give Box Admins more visibility and control over what applications they approve, we will include the selected authentication method in the Enterprise Authorization request.

Similarly to generating a key pair via the Box Developer Console, we will now require your Box account to have 2FA enabled in order to view or copy your application’s client secret. As always, your client secret is confidential and should be protected. You can easily reset it at any time with the click of a button.

The Client Credentials Grant type is best used when creating machine to machine integrations where no end-user authentication is required. It’s the fastest and easiest way to prototype or script against your Box enterprise. In most cases, this grant type is used so that the server can act on behalf of the Box application. All applications leveraging the Client Credentials Grant type have an associated Service Account, which is an admin-like user that represents the application. For this reason, these applications require explicit authorization by a Box admin before use. Once approved, your application will make requests as the Service Account user by default.

To learn more about the Client Credentials Grant type, please visit our guide. We’ve also begun to add support for this in our SDK libraries.