Box Oauth2 API
The Box OAuth2 API manages OAuth 2.0 access tokens, allowing applications to request, refresh, and revoke tokens used for authenticating API calls to the Box Platform.
OpenAPI Specification
openapi: 3.1.0
info:
title: Box Oauth2 API
description: Needs a description.
paths:
/oauth2/token:
post:
operationId: post_oauth2_token
summary: Box Request access token
description: |-
Request an Access Token using either a client-side obtained OAuth 2.0
authorization code or a server-side JWT assertion.
An Access Token is a string that enables Box to verify that a
request belongs to an authorized session. In the normal order of
operations you will begin by requesting authentication from the
[authorize](#get-authorize) endpoint and Box will send you an
authorization code.
You will then send this code to this endpoint to exchange it for
an Access Token. The returned Access Token can then be used to to make
Box API calls.
tags:
- Oauth2
servers:
- url: https://api.box.com
description: Server for server-side authentication
x-box-tag: authorization
security: []
requestBody:
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/PostOAuth2Token'
responses:
'200':
description: |-
Returns a new Access Token that can be used to make authenticated
API calls by passing along the token in a authorization header as
follows `Authorization: Bearer <Token>`.
content:
application/json:
schema:
$ref: '#/components/schemas/AccessToken'
'400':
description: An authentication error.
content:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Error'
default:
description: An authentication error.
content:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Error'
/oauth2/token#refresh:
post:
operationId: post_oauth2_token#refresh
summary: Box Refresh access token
description: Refresh an Access Token using its client ID, secret, and refresh token.
tags:
- Oauth2
servers:
- url: https://api.box.com
description: Server for server-side authentication
x-box-tag: authorization
x-box-is-variation: true
security: []
requestBody:
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/PostOAuth2Token--RefreshAccessToken'
responses:
'200':
description: |-
Returns a new Access Token that can be used to make authenticated
API calls by passing along the token in a authorization header as
follows `Authorization: Bearer <Token>`.
content:
application/json:
schema:
$ref: '#/components/schemas/AccessToken'
'400':
description: An authentication error.
content:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Error'
default:
description: An authentication error.
content:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Error'
/oauth2/revoke:
post:
operationId: post_oauth2_revoke
summary: Box Revoke access token
description: |-
Revoke an active Access Token, effectively logging a user out
that has been previously authenticated.
tags:
- Oauth2
servers:
- url: https://api.box.com
description: Server for server-side authentication
x-box-tag: authorization
security: []
requestBody:
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/PostOAuth2Revoke'
responses:
'200':
description: Returns an empty response when the token was successfully revoked.
'400':
description: An authentication error.
content:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Error'
default:
description: An authentication error.
content:
application/json:
schema:
$ref: '#/components/schemas/OAuth2Error'
components:
schemas:
AccessToken:
title: Access token
type: object
x-box-resource-id: access_token
x-box-tag: authorization
description: A token that can be used to make authenticated API calls.
properties:
access_token:
type: string
format: token
example: c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ
description: The requested access token.
expires_in:
type: integer
format: int64
example: 3600
description: The time in seconds by which this token will expire.
token_type:
type: string
enum:
- bearer
example: bearer
description: The type of access token returned.
restricted_to:
type: array
description: |-
The permissions that this access token permits,
providing a list of resources (files, folders, etc)
and the scopes permitted for each of those resources.
items:
$ref: '#/components/schemas/FileOrFolderScope'
refresh_token:
type: string
format: token
example: c3FIOG9vSGV4VHo4QzAyg5T1JvNnJoZ3ExaVNyQWw6WjRsanRKZG5lQk9qUE1BVQ
description: |-
The refresh token for this access token, which can be used
to request a new access token when the current one expires.
issued_token_type:
type: string
format: urn
example: urn:ietf:params:oauth:token-type:access_token
enum:
- urn:ietf:params:oauth:token-type:access_token
description: |-
The type of downscoped access token returned. This is only
returned if an access token has been downscoped.
OAuth2Error:
title: OAuth 2.0 error
type: object
x-box-resource-id: oauth2_error
x-box-tag: authorization
description: An OAuth 2.0 error
properties:
error:
type: string
example: invalid_client
description: The type of the error returned.
error_description:
type: string
example: The client credentials are not valid
description: The type of the error returned.
tags:
- name: Oauth2