Platform Support

Still have questions?

API support is available within the Box community. You can also ask question on StackOverflow using the Box-API tag.


If you are running into any errors with the API, please contact us using this form.


  • How do I get a list of all of a user's files and folders?

    There is currently no API that would directly give you all the files or folders belonging to a user in one API call. But you can get all files and folders belonging to a user in multiple API calls. You would need to recursively call the Get Folder's Item API to get this data. The process would be:
    1. Call Get Folder's Items to get a user's root folders and files by specifying folder id = 0.
    2. For all folders returned from step 1, call the Get Folder's Items API for each of them.
    3. Repeat this process of calling the Get Folder's Items API until you returned no more subfolders.

  • What is the As-User header? How do I get access to use this header as a developer?

    The As-User header lets an admin perform any action on behalf of a user via the API. Anything an individual user can do in their own account can now be done by the admin. Please file a support ticket to enable this in your account.

  • What authentication scheme should I use for my app?

    The OAuth process is designed to be used with Standard Box Users (Managed Users). The JWT auth process is designed to be used with App Users.

  • When should I use the developer token?

    The Box developer token is designed for testing purposes, and is not intended for use in production applications.

  • What are the rate limits around the API?

    There are two rate limits. There is a limit of 10 API calls per second. There is also a limit of 50,000 API calls in a 24 hour rolling window.

  • Can I multi-thread requests?

    Yes. Our recommendation is five concurrent threads.

  • How does token expiration work?

    A token is valid for one hour, unless a new token is requested and used. If a new token is requested but not used, the old token is still valid (assuming it less than one hour old). If a new token is requested and used, the old token will be invalidated.