The OAuth resource allows an application to be granted authorization to act on behalf of the user. To retrieve an access token for a given user the application must prepare an Authorization URL that the user must be redirected to, such as the following:

https://api.boxc.com/v1/oauth/authorize?application_id=1x98s0ad8fsfs091&return_uri=https://myapp.com/connect/user/150162

After the user is redirected to api.boxc.com they are prompted to sign in to their BoxC account and accept the requested permissions. The user is then redirected to the provided return_uri with a nonce hash appended as a parameter. The nonce must be captured by the application because it is required for retrieving an access token.

With the application_id, application_secret, and nonce in hand the application may now call POST /oauth/access_token to retrieve an access token. The token lasts indefinitely, or at least until the user revokes the application's permissions. For all future requests to the API the application must place the user's access_token in the request header like the following example.

Authorization: Bearer {access_token}

Actions

GET /oauth/authorize Requests authorization for an application
POST /oauth/access_token Creates an access token
DELETE /oauth/{access_token} Revokes an access token

Properties

access_token

{"access_token": "gXfXk4379LCjsUxs9PpuH4..."}

String(64) - The access token. Set by the system.
application_id

{"application_id": "1x98s0ad8fsfs091"}

String - The application's unique identifier.
application_secret

{"application_secret": "a7bb9fe6-7443-4711-9cfb-a6437f882eec"}

String(36) - The application's secret key.
nonce

{"nonce": "rctzV3dBOTBrdEhnRQ"}

String - A one-time authorization code returned by the system. It expires after 5 minutes.
GET
/oauth/authorize
Requests authorization for an application
application_id The application's unique identifier.
return_uri The application's callback URL that will process the authorization response.
request

GET /oauth/authorize

application_id=1x98s0ad8fsfs091&return_uri=https://myapp.com/connect/user/170242
response

HTTP/1.1 200 OK


        
POST
/oauth/access_token
Creates an access token
request

POST /oauth/access_token

{
    "application_id": "1x98s0ad8fsfs091",
    "application_secret": "a7bb9fe6-7443-4711-9cfb-a6437f882eec",
    "nonce": "VOxDU1dyY3pSQmV6TQVOxDU1dyY3pSQm"
}
response

HTTP/1.1 201 Created

{
    "access_token": "52277de980b06dbcba5c5e8a58c747750fe41ec3f71a7ff9ab2a7d94907ef5d1",
    "expires_in": null,
    "token_type": "Bearer"
}
DELETE
/oauth/{access_token}
Revokes an access token
request

DELETE /oauth/52277de980b06dbcba5c5e8a58c747750fe41ec3f71a7ff9ab2a7d94907ef5d1


        
response

HTTP/1.1 200 OK