Introducing Developer Tokens

Box held one of our periodic internal Hackathons in early December. I built developer tokens for my winning hack.

The complexity of implementing OAuth2 was frustrating many of our customers and partners starting to build on the Content API. Security requires care, and while we do our best to make sure it is as simple as possible to sign into services and applications that bring your Box account extra features, the OAuth2 process is not trivial to implement.

I'm proud to introduce my newly public Hackathon project: Developer Tokens.

Developer Tokens are tokens that behave just like a full OAuth2 bearer token. They give you access to your account on a temporary basis so you can get started quickly. The power of the Developer token is that it requires almost no work on your part to get one.

When you create an application on the Box Developer website, just go into the application management page. That's the page where you can modify basic things about your application, like the name, icon, or description. You can now just click on a simple button to get a developer token. That button generates a valid OAuth2 token with access to your own Box account, with a scope granted to your app. You do not have to enter your account password or go through a login flow. You do not have to make any API calls, or redirect a user to a URL, and you do not have to catch any http responses coming from the Box servers. Simply click the button in the application admin console, and we'll give you the token for your account.


  • The tokens expire (currently after 1 hour)
  • The tokens are only valid for your own account (so you can't use them to test other people using your app)
  • There is no refresh token paired with the token

Clicking the Revoke button on the application management page will delete the token. Optionally, you can use the OAuth2 revoke endpoint if your access token is no longer needed.

To use the new token, you simply use it in the header on every API call that you have available to you. It gets sent in as a Bearer token, just like the normal token you get when you have someone OAuth2 into your application.

We hope this, and other developer-friendly changes that we have planned, will make it even easier to get started on the Box API.

So what are you waiting for? Give the Box API a spin! Try a new Developer token with Postman or a curl command. Or click here to go straight to SDK documentation to get started with your favorite language, or here for the full documentation.

Want to learn more about building on the Box platform? Register today for Box Dev, our spring developer conference on March 26th in SF!