Skip to main content

Official Box Python SDK

Project description Documentation Status


pip install boxsdk


The Box API uses OAuth2 for auth. The SDK makes it relatively painless to work with OAuth2 tokens.

Get the authorization url

from boxsdk import OAuth2

oauth = OAuth2(

auth_url, csrf_token = oauth.get_authorization_url('http://YOUR_REDIRECT_URL')

store_tokens is a callback used to store the access token and refresh token. You might want to define something like this:

def store_tokens(access_token, refresh_token):
    # store the tokens at secure storage (e.g. Keychain)

The SDK will keep the tokens in memory for the duration of the Python script run, so you don’t always need to pass store_tokens.

Authenticate (get access/refresh token)

If you navigate the user to the auth_url, the user will eventually get redirected to http://YOUR_REDIRECT_URL?code=YOUR_AUTH_CODE. After getting the code, you will be able to use the code to exchange for an access token and refresh token.

The SDK handles all the work for you; all you need to do is run:

# Make sure that the csrf token you get from the `state` parameter
# in the final redirect URI is the same token you get from the
# get_authorization_url method.
assert 'THE_CSRF_TOKEN_YOU_GOT' == csrf_token
access_token, refresh_token = oauth.authenticate('YOUR_AUTH_CODE')

Create an authenticated client

from boxsdk import Client

client = Client(oauth)

And that’s it! You can start using the client to do all kinds of cool stuff and the SDK will handle the token refresh for you automatically.


Get user info

me = client.user(user_id='me').get()
print 'user_login: ' + me['login']

Get folder info

root_folder = client.folder(folder_id='0').get()
print 'folder owner: ' + root_folder.owned_by['login']
print 'folder name: ' + root_folder['name']

Get items in a folder

items = client.folder(folder_id='0').get_items(limit=100, offset=0)

Create subfolder

# creates folder structure /L1/L2/L3

Get file name


Rename an item


Move an item


Get content of a file


Lock/unlock a file



# Get events, stream_position='now')

# Generate events using long polling
for event in
    pass  # Do something with the event

# Get latest stream position


# Get metadata

# Create metadata
client.file(file_id='SOME_FILE_ID').metadata().create({'key': 'value'})

# Update metadata
metadata = client.file(file_id='SOME_FILE_ID').metadata()
update = metadata.start_update()
update.add('/key', 'new_value')


The Client class and all Box objects also have an as_user method.

as-user returns a copy of the object on which it was called that will make Box API requests as though the specified user was making it.

See for more information about how this works via the Box API.

# Logged in as admin, but rename a file as SOME USER
user = client.user(user_id='SOME_USER_ID')

# Same thing, but using file's as_user method

Box Developer Edition

The Python SDK supports your Box Developer Edition applications.

Developer Edition support requires some extra dependencies. To get them, simply

pip install boxsdk[jwt]

Instead of instantiating your Client with an instance of OAuth2, instead use an instance of JWTAuth.

from boxsdk import JWTAuth

auth = JWTAuth(

access_token = auth.authenticate_instance()

from boxsdk import Client

client = Client(auth)

This client is able to create application users:

ned_stark_user = client.create_user('Ned Stark')

These users can then be authenticated:

 ned_auth = JWTAuth(
ned_client = Client(ned_auth)

Requests made with ned_client (or objects returned from ned_client’s methods) will be performed on behalf of the newly created app user.

Other Auth Options

For advanced uses of the SDK, two additional auth classes are provided:

  • CooperativelyManagedOAuth2: Allows multiple auth instances to share tokens.
  • RemoteOAuth2: Allows use of the SDK on clients without access to your application’s client secret. Instead, you provide a retrieve_access_token callback. That callback should perform the token refresh, perhaps on your server that does have access to the client secret.
  • RedisManagedOAuth2: Stores access and refresh tokens in Redis. This allows multiple processes (possibly spanning multiple machines) to share access tokens while synchronizing token refresh. This could be useful for a multiprocess web server, for example.

Other Network Options

For more insight into the network calls the SDK is making, you can use the LoggingNetwork class. This class logs information about network requests and responses made to the Box API.

from boxsdk import Client
from import LoggingNetwork

client = Client(oauth, network_layer=LoggingNetwork())



Developer Setup

Create a virtual environment and install packages -

mkvirtualenv boxsdk
pip install -r requirements-dev.txt


Run all tests using -


The tox tests include code style checks via pep8 and pylint.

The tox tests are configured to run on Python 2.6, 2.7, 3.3, 3.4, 3.5, and PyPy (our CI is configured to run PyPy tests on PyPy 4.0).


Need to contact us directly? Email and be sure to include the name of this project in the subject. For questions, please contact us directly rather than opening an issue.

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for boxsdk, version 1.4.0
Filename, size File type Python version Upload date Hashes
Filename, size boxsdk-1.4.0-py2-none-any.whl (132.9 kB) File type Wheel Python version 2.7 Upload date Hashes View
Filename, size boxsdk-1.4.0.tar.gz (80.0 kB) File type Source Python version None Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring DigiCert DigiCert EV certificate Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page