How to Create a Client Object for Accessing All Functionalities on Behalf of Enterprise Users in Box API?

I have a Box enterprise account, and I want to create a client object that can perform various operations on behalf of enterprise users. My goal is to access and manage files and folders. To achieve this, I’ve explored two authentication methods: developer tokens and JWT authentication. Is it true that developer tokens should not be used for production? If yes then I am left with JWT Authentication.

JWT Authentication: I’ve looked into JWT authentication, which appears to be suitable for server-to-server communication. However, I’m unsure about how to set up the following JWT authentication parameters:

  • jwt_key_id
  • rsa_private_key_file_sys_path
  • rsa_private_key_passphrase
    Additionally, I would like to know how to create a client object using JWT authentication to access enterprise users’ data and perform operations as the Service Account or individual App Users.

Hi @user112

Your are correct, JWT is the way to go here.

Developer tokens only last 60 minutes and need to be manually generated, so not feasible at all.

This guide should help you:

We also have some samples iin Python and node, net us know if this helps.


I’m interested in using JWT (JSON Web Token) authentication with Box to access and manage files and folders on behalf of enterprise users. However, I want to ensure that this method won’t affect the ability of Box users to log in to their Box accounts and grant access to my app when they choose to do so.

  1. Will using JWT authentication prevent Box users from signing in to their Box accounts and granting access to my app?
  2. How should I generate the rsa_private_key_passphrase when creating a private key for JWT authentication?"

Thanks in advance.

Hi @user112

I guess I need more details on what type of app are you trying to build.

If you want your users to explicitly grant permissions to your app, then this point to OAuth 2.0 authentication type.

If you want your app to perform actions independently of the users then JWT is more appropriate.

Take a look here at the different application types and use cases.

Check out this document on how to generate a private/public key pairs.