How to use a .pem file on Box authentication

Question from developer:

When working with BoxCLI or the Node SDK, the examples reference a file path to a .pem file.
How do I create a .pem file, and have it work with the box app?

In essence when you configure a server side JWT authenticated app, you need a private/public key pair, and you send the public key to your box app configuration. These are then used to exchange encrypted information related with authentication between the platform and your app.

Let me illustrate with some screen shots of an app configured to use JWT authentication:

If you scroll down, you’ll see the section to manage the public keys:

From here you have a couple of options:

  • Generate your own (manually) public/private key pair, or if you already have a private key, generate just the public one, and then upload the public key to your app via the “add public key” button.
  • Or click the “Generate a Public/Private key pair” button and have it done for you.

To manually generate a public/private key pair follow this guide.

If you select the second option, Box will trigger the download of a JSON file, with all the configurations you need for the CLI or any of the SDK’s. This JSON includes your private key, so keep it safe. Once this is done there is no way you can get your private key again.

For example on my Box CLI:

❯ box configure:environments:get -c
Client ID:
Enterprise ID: '87...855'
Box Config File Path: /Users/rbarbosa/Documents/box-cli/jwt.config.json
Has Inline Private Key: true
Private Key Path: null
Name: JWT
Default As-User ID: null
Use Default As-User: false
Cache Tokens: true

For example using the Python SDK:

from boxsdk import Client, JWTAuth

def box_client_get(jwt_config_file_path: str) -> Client:
"""get a box client"""
  auth = JWTAuth.**from_settings_file**(jwt_config_file_path)

You can also pass all the parameters for the JWTAuth manually, instead of a file, for example:

def jwt_test_manual():
  auth = JWTAuth(
    client_id = Config.JWT_CLIENT_ID,
    client_secret = Config.JWT_CLIENT_SECRET,
    enterprise_id = Config.JWT_ENTERPRISE_ID,
    jwt_key_id = Config.JWT_PUBLIC_KEY_ID,
    rsa_private_key_file_sys_path = Config.private_key_path, # your private key .pem
    rsa_private_key_passphrase = Config.JWT_PASSPHRASE,
    store_tokens = jwt_store_token,
  access_token = auth.authenticate_instance()
  client = Client(auth)
  service_account = client.user().get()
  print(f'Service Account user ID is {}')
  print(f'Access token: {access_token}')

To learn more about using JWT Auth in box follow this guide.

The other option that I was mentioning is to create/download the config.json file which has all these parameters and then instantiate the JWTAuth using the config file:

auth = JWTAuth.from_settings_file(path/to/jwt_config_file)
the config json file looks like this:

    "boxAppSettings": {
      "clientID": "...",
      "clientSecret": "...",
      "appAuth": {
        "publicKeyID": "...",
        "privateKey": "-----BEGIN ENCRYPTED PRIVATE KEY-----\n...=\n-----END ENCRYPTED PRIVATE KEY-----\n",
        "passphrase": "..."
    "enterpriseID": "..."

So use one or the other.