I am a bit confused about the application type and authentication method best suited for my use case.
I want to build an application, which should be published into the box app centre.
The application should add context menu items to the existing box cloud
Users with the box cloud account are the expected users. They will select a file or folder and click the context menu option.
Context menu item click - should invoke our API., with information about the selected file or folder.
The application should have permission to download and upload files.
The main concern is that I want a long-lived token. I don’t want to re-authenticate for every call of a user a short-lived token.
If multiple Organizations installed the application, How do we differentiate the organization?
As stated in that documentation, your integration/popup receives a short-lived authorization code with this request, which can be used to connect to the Box APIs, exchange the code for an Access Token, and then use that to make subsequent API calls to Box.
You can find out more about the token options here. There isn’t a “long lived token” option for your use case. The token you would get has 60 minutes of use time, with a refresh token that can be used up to 60 days later.
Long lived token are only valid for Box View use cases where there isn’t an underlying user model. That type of app would not be in the App Center though.