API Bearer Access Token

Hi there,

Sorry for the very basic question, but I was wondering if somebody could guide me on how to generate a “Bearer Access Token” for usage with Box’s API?

I’m trying to authorize the Preflight check before upload API call which requires a Bearer Access Token, but I can’t figure out where I can generate this token.

I was reading through Box’s API documentation, but I couldn’t find definitive steps on how to do this.

Thanks! :slight_smile:

Hello @scotty321,

To get a bearer token, you’ll have to authenticate against the API. This document is a good starting point. Let us know if you have additional or follow up questions!

Also, moving your question to the authentication forum so others looking for this answer can find it more easily.

Hey there @scotty321

There are a few ways to generate a bearer token, aka access token, aka authentication.

Box platform supports Developer Tokens, OAuth2, Client Credential Grants, and JSON Web tokens.

The easiest, quickest way for you to experiment with the API is probably the Developer Token, which you can generate in the Configuration tab of you application in the developer console. It looks like this:

This developer token lasts for 60 minutes and it must be re-generated in the developer console, so it is not suited for applications, but it will get you started.

You use the token directly on a Bearer Header.

I’m happy to discuss the other more formal authentication methods, but let me ask a contextual question first.

What tools/language are you using? Postman? Curl? any of the SDK’s?

Let me know to help me with context.


Thanks, @shurrey! That was the exact support document that I was struggling with. Unfortunately, it doesn’t provide any step-by-step directions for generating a bearer access token.

Thanks for the detailed info, @rbarbosa! :slight_smile:

I’m simply using CURL as part of the HTTP module of Make. (Make is an automation & integration tool that is similar to Zapier, but it is SIGNIFICANTLY more powerful than Zapier. It is literally lightyears ahead of Zapier, and it costs significantly less than Zapier too.)

So I’m trying to create an automation with Box that Make doesn’t natively support in their list of native Box functions, which is why I need to use CURL.

But I would need a bearer token that doesn’t expire after 60 minutes. Do you know of any way for me to generate a bearer token that doesn’t expire?

I second this. I’ve also been trying to generate a token, but I keep getting the error “This application needs to be authorized by the enterprise admin”, and I don’t know who an enterprise admin is.

We’re enterprise-integrated and I found mine by logging on to BOX, navigating to “Account Settings”, clicking the “Account” tab and scrolling down to the bottom under “Account Details”. Our account details including “Admin Contact” are listed there. I had to have my integration token/user approved also…easy peasy!

Very interesting. When I go to that exact same page for my Box account, it doesn’t give me the ability to create a bearer access token. All it says for me on that page is that I have an “individual account”, and I have no other options to do anything. I’m assuming that I will need an enterprise account admin to go to this screen, even though I access all of the shared folders from this enterprise company.

Sounds like you are on the free account. There is a post explaining more about it, but the gist is that free developer accounts is temporarily down while we fix an issue. Creating an app usually migrates your free account to a free dev account, which then gives you admin access. This functionality will be back in a month or two.

Sorry for the inconvenience. :frowning:

Thanks, @shurrey!

  1. That document says that anybody who had a Free Developer Account before March 2023 will still have access. My free account was created about 11 years ago, so I should still have access. I am a consultant for an Enterprise customer who is on Box’s Enterprise Pricing Plan. This client has shared many of their Box folders with me so I can automate them & integrate them using Make (which is an automation tool that is similar to Zapier), but I am unable to get a Bearer Access Token so I can make API calls to Box.

  2. A colleague of mine forwarded me to the Box instructional video on this page, but unfortunately it looks like the instructions in that video are outdated.

  3. However, I was still able to successfully navigate to the “My Apps” page (please see screenshot below), but none of these 3 options on this page seem to give me a Bearer Access Token. Please see screenshot below. I am unable to get a Bearer Access Token by choosing any of the 3 options on this page.

  4. All I need is a Bearer Access Token so I can make API calls to Box. For example, I would like to use the Preflight Check Before Upload API call, and the Box documentation says that I need a Bearer Access Token to make that API call. Is there any way for me to get a Bearer Access Token in Box?

  5. Alternatively, I can also instruct my Enterprise Client to get the Bearer Access Token on his end, since he is logged in as an Enterprise User. I just need proper instructions to tell him on how to get a Bearer Access Token.

Thanks! @shurrey @rbarbosa

Hi Scotty, to get a Bearer Access token, you’d have to create an app (I’d go with Custom App) in the screen shot above. You can select whichever authentication type you like, JWT, OAuth, or client credentials, and then in your code, you would call:

POST https://api.box.com/oauth2/token

to get a Bearer token.

You could also use the Developer Token generated when you create your app, but it is only valid for an hour, so getting the token through the API is a better approach.


Thank you so much for trying to help me.

Unfortunately, this is not enough information for me to get a Bearer Access Token.

When I go to create a Custom App, it gives me the page that you can see in the screenshot below. The only thing I am provided with is a Developer Token, a Client ID, and a Client Secret.

I then called:

POST https://api.box.com/oauth2/token

I substituted the word “token” with the Developer Token from the screenshot below, but Box returned a “404 Not Found” error to me.

Unfortunately, none of this is very user-friendly and I am still stuck in a dead end here. Obviously, this isn’t your fault as you are trying your hardest to help me, but I do feel that this is the fault of the Box engineers who have made this process (1) completely obscure, (2) completely undocumented, and (3) impossibly difficult to successfully complete. If you can pass on my feedback to them, that would be great. I’ve been a software developer for 30+ years and I’ve never had this much difficulty before with any service that I’ve ever used. Unfortunately, it is technical problems like this which is why I have steered most my customers away from Box. As you can imagine, trying to get an API Key from Dropbox, Google Drive, or any of the other cloud storage services is extremely easy – just point-and-click.

Hi @scotty321 ,

There is no way you’re going to get a bearer token directly. This is common practice in public API’s that enforce authentication and authorization, such as the Box Platform.

In order to get a bearer token you need to exchange your app credentials for the bearer token.

Since you’re using an API integrator like make, then the 2 convenient authentication methods applicable are the CCG (client credential grants) or the JWT (JSON web tokens) since these do not involve user interaction and http redirections.

Let’s take a look at CCG attribute you’ll need to get a bearer token:

  • Client ID
  • Client Secret

You get these from the configuration page on your app:

You’ll also need:

  • Box Subject Type - This can be enterprise or user , depending if you’re trying to authenticate as a service account or a user account. Let’s assume enterprise for the moment.
  • Box Subject ID - The id of the enterprise or the user.

To locate the enterprise id you navigate to the admin console, billing:

You will not have access to this if you are using a new(ish) box free account.

Make sure you re-authorize your app if any configuration changed. You do this on your developer console under the authorization tab for your app:

As as admin of you own developer account you then need to approve the submission. You do this under the Custom Apps Manager tab in the apps section on your admin console:

So far all of these steps are just to make sure your app is configured and authorized.

We are now ready to make a request to exchange the app credentials for a bearer token. You do this by hitting the request access token end point on the api: https://api.box.com/oauth2/token, the parameters have to be form encoded. The cUrl command looks something like this:

curl --location 'https://api.box.com/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=h5...qi' \
--data-urlencode 'client_secret=Tqq...38' \
--data-urlencode 'box_subject_type=enterprise' \
--data-urlencode 'box_subject_id=877840855'

And the result is:

    "access_token": "avu...bZI",
    "expires_in": 4028,
    "restricted_to": [],
    "token_type": "bearer"

This bearer token has a life of approximately 1 hour (4028 seconds) and once it is about to expire you need to get a new one.

Again this is not specific with Box Platform, all API’s that enforce authentication will use a similar process, so it is very likely supported by Make.

I have never used Make, but from the link you shared it looks promising, especially the “Make a Client Certificate Auth request” and the “Make an API Key Auth request”. I’m not sure which one is applicable. I couldn’t get into the details ok Make.

Let us know if this helps.


PS: I’ve just noticed that Make already has a Box Platform integration, check it out here.

I employ a JWT on a service account that had to be approved by our enterprise admins before I could use it. Since then, however, I’ve had no issues.

Hi @rbarbosa how to get the box admin account?

Thanks again @rbarbosa for these detailed instructions. I was unable to get it to work, but that’s okay because I was able to move my client to a different platform.

I think I should probably mention that the key problem that started this whole thread is the lack of functionality with Box’s “Upload File” API call.

That simple “Upload File” API call is missing the crucial ability to overwrite an existing file of the same name (with a new version of the same name). If that simple functionality was added into the “Upload File” API call, then none of these workarounds would be necessary.

Note that the competing apps to Box (Dropbox, Google Drive, OneDrive) have no problem with their “Upload File” functionality overwriting old files with a new version of the same name. Box is the only one that has this restriction.

Hey @scotty321 ,

I thought this was about getting tokens, you never mentioned you were trying to figure out how to update vs upload a file…

Anyway just to share some context around the file upload topic…

You could consider that in the Box API there are different upload modes.

If you POST to a file id you are in fact updating the file with a new version, no questions asked because you already have the correct file you want to update:


If you POST without a file id you are uploading a new file:


In the SDK’s this is much clear as upload to a folder for a new file and upload to a file for a new file version.

This is when the preflight check comes in handy, to check if the file exists, if the file fits, etc.

Perhaps we could have put everything on a single upload command, but that wouldn’t be correct. What if you do want to get an error instead of overwriting a file? Even the most basic operating system will ask you for confirmation.

Having a platform do something that you didn’t explicitly requested is a bad practice, and most likely the platforms you mentions do have some flags to prevent that behavior.

For example google drive just duplicates the file with the same name, and Dropbox has some parameters on the upload method, like method, auto-rename, and strict-conflict.

Happy coding


This explanation makes a lot of sense. I’d rather it “fail safely” than do something unintended.

1 Like