Box: nodejs SDK authentication

Having spent some time building content functionality with Box’s comprehensive API, I found I needed to graduate from using a Developer Token, which expires after 60 minutes, to a form of persistent authentication to put my work into production.

This took me a little bit of time and some assistance from Box Support to achieve, so I thought I would share my solution with others that might be having similar experiences. My example application is written in JavaScript making use of nodejs and expressjs.

Prerequisites: a Box account; some nodejs knowledge.

Firstly you need to create a Box app: instructions can be found here. When you have created your Box app, ensure that you have Application access set to Enterprise, as illustrated below.


This will allow you to impersonate a managed user, which is key using the API. Once you have your app created you need to click Authorize New App in your Box account’s Admin Console | Business Settings | Apps menu. It is worth noting as well, that every time you modify your Box App in the Dev Console you should authorise your app again.



Now you have your Box app configured and authorised, you can start building an application and making use of Box’s API. One use case I am working towards it the ability to automatically create a predefined folder structure when new cases are created in third party line of business systems.

My application code is outlined below and can be found on GitHub. For more information on the Box nodejs SDK visit this link. I hope this is of some use.

var express = require('express');
var bodyParser = require('body-parser');
var Box = require('box-node-sdk');
var app = express();
var port = process.env.PORT || 3000;

app.use(bodyParser.urlencoded({ extended: true }));

// Box app secrets stored as environment variables.
var boxClientID = process.env.boxClientID;
var boxClientSecret = process.env.boxClientSecret;
var privateKey = process.env.boxPrivateKey;
var publicKeyId = process.env.boxKeyID;
var publicKeyPassphrase = process.env.boxKeyPassphrase;
var boxEnterpriseId = process.env.boxEnterpriseId;
var boxUser = process.env.boxUser;

// Set the sdk up -
var sdk = new Box({
   clientID: boxClientID,
   clientSecret: boxClientSecret,
     appAuth: {
     keyID: publicKeyId,
     privateKey: privateKey,
     passphrase: publicKeyPassphrase

// Create a client.
var client = sdk.getAppAuthClient('enterprise', boxEnterpriseId);
// Set the managed user to impersonate -

// Create an index route for the express application.
app.use('/', function (req, res) {
 // Execute a Box API call when the index route is requested.
 client.users.get(client.CURRENT_USER_ID, null, function (err, userResponse) {
   if (err) {
   } else {
     res.send(userResponse); // This returns the raw JSON from Box's API.

app.listen(port, function (err) {
 if (err) console.log(err);
 console.log('Server is running on port ' + port);