Box Developer Platform

Service Accounts

A Service Account represents your application within a Box Enterprise. Using a Service Account your application can authenticate to Box instead of authenticating as a user.

This page describes features, use cases, and permissions of Service Accounts. If you are looking for the Service Account setup guide, it is available here.

Service Account Features

  • Application Content Store - The ability to store content at the application level by maintaining content within the Service Account.
  • Access to Any User - The ability to generate access tokens for both Managed Users and App Users or to make calls using the As-User header to impersonate a user.
  • Flexible Application Scopes - Each Service Account is authorized for the specific set of scopes permitted by the application and authorized by the Admin.
  • Enterprise Features - Service Accounts can use admin-level capabilities (if authorized) such as managing and applying retention policies, setting and using Metadata, and accessing the Events endpoint using the Box API.
  • Application Recorded Events - Events are mapped directly to the application and its Service Account making Event Filtering easy.

Service Account Use Cases

There is a range of use cases for a Service Account architecture. Here are some common examples:

  • Administrative Tasks - Perform large-scale administrative actions on your Enterprise’s managed users such as provisioning and on-boarding.
  • Business Process Automation - Write custom business logic to provide complex workflows across users and content in Box.
  • Security Integrations - Establish an easy-to-use integration with data loss prevention and threat monitoring services.
  • Content Distribution - Distribute content to a public-facing application.
  • Content Capture - Configure server-to-server processes ingesting content from on-prem systems to Box.

Service Account Authentication

To make API calls using a Service Account, you have to authenticate using OAuth2 with JWT. You can perform actions on behalf of Managed Users and App Users using the As-User Header with the Enterprise Access Token.

Service Account Permissions

There are three different Service Account permissions levels:

Permission Level
Description

No Users

The service account does not have access to any users beyond the Service Account associated with the application.

App Users

Actions on behalf of App Users and the application associated with the Service Account.

All Users

Actions on behalf of Managed Users, App Users, and the application associated with the Service Account.

Service Account Limitations

  • A Service Account is an API-only account. It cannot be logged into through the Box web app.
  • You should not use Service Accounts to make client-side requests. It is designed for server-side integrations. If you need to make a client-side request, you can generate an access token scoped to an App User.

FAQ

1. What's the difference between a Service Account and an App User?

A Service Account represents your application within a Box Enterprise. Depending on the permission level, a Service Account also gives you control of App User accounts. An App User is a Box account that belongs to your Box Platform application. An App User access token can only access content from its own account.

2. What's the difference between a Service Account and an Admin?

A Service Account and an Admin are different account types, but they do have some overlap in functionality. Think of a service account as an application account. It has its own application level content store and can perform Admin actions such as creating users, metadata templates, and groups.

It does not use the As-User header for its own authentication, but can do so for users if the Service Account is set up with the appropriate scopes ("All Users" user access scope and "Perform actions on behalf of users" advanced features scope).

3. How can I increase the rate limit of my Service Account?

Box API rate limits are scoped to individual accounts. You can increase the overall rate limit for your Service Account by making API calls on behalf of other accounts. You can make calls on behalf of both Manged Users and App Users using the As-User Header.

Questions
If you have any questions, please visit our developer forum.

Service Accounts