Box Platform apps with Server Authentication (with Client Credentials Grant) let your workflows authenticate to Box as the app's own Service Account instead of through a person's OAuth login. You create the app once, a Box admin authorizes it for the enterprise, and Sim mints short-lived access tokens from the app's credentials on demand — no user consent to expire, and access that's controlled entirely by which folders the Service Account is invited into.
This is the recommended way to use Box in production workflows: nothing depends on a user staying logged in, the app's scopes are explicit, and the Service Account's reach is auditable folder by folder.
Prerequisites
Anyone with Developer Console access can create the app, but a Box admin or co-admin must authorize it in the Admin Console before it can mint tokens. Free developer accounts are authorized automatically.
Setting Up the Platform App
1. Create the App
Go to the Box Developer Console, open My Apps, click Create Platform App, and choose Server Authentication (with Client Credentials Grant)
On the Configuration tab, set the App Access Level. App Access Only (the default) is sufficient — choose App + Enterprise Access only if the Service Account should also reach existing managed users' content via admin APIs
Under Application Scopes, check Read all files and folders stored in Box and Write all files and folders stored in Box. If you'll use Sim's Box Sign operations, also check Manage signature requests
Copy the Client ID and Client secret from Configuration → OAuth 2.0 Credentials (revealing the secret may prompt for two-factor verification)
Copy the Enterprise ID — a numeric value. In the Developer Console, click your account icon in the top right and choose Copy Enterprise ID; a Box admin can also find it in Admin Console → Account & Billing → Account Information
2. Authorize the App in the Admin Console
Token requests fail with unauthorized_client ("This app is not authorized by the enterprise admin") until a Box admin authorizes the app:
A Box admin or co-admin opens Admin Console → Apps → Platform Apps Manager (in some tenants this appears as Platform → Platform Apps)
Click Add App and enter the app's Client ID
Alternatively, the developer can click Review and Submit on the app's Authorization tab in the Developer Console to send the request to the admin.
Authorization is a snapshot. If you later change the app's scopes or access level — for example, adding the signature scope — the admin must re-authorize the app in the same Platform Apps Manager section before the change takes effect. Until then, token minting keeps succeeding but the new scopes don't apply, which surfaces as persistent 403 errors on tools despite correct-looking configuration.
3. Give the Service Account Access to Folders
The Service Account is a brand-new Box user — its email looks like AutomationUser_AppServiceID_RandomString@boxdevedition.com and is shown on the app's General Settings tab. Its folder tree starts empty: a fully valid credential sees zero items and gets 404s on real files and folders until you grant it access.
In Box, invite the Service Account's @boxdevedition.com email as a collaborator on each folder your workflows should work with — use the Editor role for read/write access
Verify by running Sim's Box List Folder Items on folder ID 0 — the collaborated folders should appear
Community reports indicate the Service Account can't be collaborated into a user's root folder itself — invite it into individual folders instead.
Adding the Service Account to Sim
Open Integrations from your workspace sidebar
Search for "Box" and open it, then click Add to Sim and choose Add service account
In the Add Box service account dialog, paste the Client ID, Client secret, and Enterprise ID (numeric), and optionally set a display name and description
Click Add service account. Sim verifies the credentials by minting a real access token from Box — if it fails, the error tells you whether Box rejected the credentials or couldn't be reached. A rejection usually means bad credentials, an app the admin hasn't authorized yet, or values that don't all belong to the same app and enterprise.
Using the Service Account in Workflows
Add a Box block to your workflow. In the credential dropdown, your Box service account appears alongside any OAuth credentials. Select it and configure the block as you normally would.
The block calls api.box.com with a freshly minted access token — the same requests as the OAuth flow, so every Box operation works, subject to the app's scopes and the folders the Service Account can see.
Sim's Box block includes Box Sign operations. These need the Manage signature requests scope on the app and Box Sign enabled on your enterprise's plan — without either, signature operations fail while file and folder operations keep working.
Token Behavior
Access tokens minted from the app are short-lived (typically one hour) and there is no refresh token — Sim simply mints a new token when one is needed. The stored Client ID, secret, and Enterprise ID stay valid until you rotate the secret in the Developer Console or the admin removes the app's authorization. If you rotate the secret, update the credential in Sim right away — reconnecting asks you to re-enter all three values.