Calling the Box API with a valid user access token

1
votes

I am using JWT to authenticate with the Box API because I do not want my users to have to explicitly log in with their credentials (as you have to with OAuth2).

My issue is that the User Access token is only valid for 60 seconds.

So, does that mean that each time I make a request to the Box API (e.g. - iterate through some folders to find a specific file) I need to request a new User Access Token to ensure that it is still valid?

From my understanding there are no refresh tokens with JWT, so it seems this is the only solution ?

60 seconds is a very short amount of time. I don't want to have to keep track of time of each request, so it seems the only other option is to have to re-create the token for each API request. This seems ridiculous.

1
jwtbox-apiboxboxapiv2refresh-token

1 Answers

1
votes

My issue is that the User Access token is only valid for 60 seconds.

Box JWT access tokens are valid for roughly 60 minutes. When you get a JWT access token the expires_in property will tell you exactly how long the token is valid, in seconds. In the example below, the token will expire in 4169 seconds, or ~69 minutes.

{
   "access_token": "mNr1FrCvOeWiGnwLL0OcTL0Lux5jbyBa",
   "expires_in": 4169,
   "restricted_to": [],
   "token_type": "bearer"
}

I don't want to have to keep track of time of each request, so it seems the only other option is to have to re-create the token for each API request.

Instead of keeping track of the epxiration time, you can make API requests until you receive a 401 response, then get a new access token, and finally then retry the failed request(s). Both options require coding effort. Fortunately some of the SDKs will do it all for you.