Table of Contents

Authentication

TTMSFNCCloudBox talks to Box over OAuth 2.0, so every session starts by authenticating the user and obtaining an access token. You supply your Box app's credentials on the Authentication object, call Connect to run the consent flow, and then persist the returned tokens so returning users skip the browser step. This chapter covers the credential setup, the connect flow, and reusing saved tokens.

Box app credentials

Create an app in the Box developer console to get a client ID and client secret, and register a redirect URI. Set the matching values on Authentication before connecting:

  • Authentication.ClientID — the app's client ID.
  • Authentication.Secret — the app's client secret.
  • Authentication.CallBackURL — a redirect URI registered on the app (a local address such as http://127.0.0.1:8000 is typical for desktop apps).

Connecting

Connect opens the Box consent page in the browser, then exchanges the returned code for tokens. Handle OnConnected to know when the component is ready to make requests.

procedure TForm1.FormCreate(Sender: TObject);
begin
  // Credentials from your Box developer app (https://developer.box.com/).
  TMSFNCCloudBox1.Authentication.ClientID := 'your-box-client-id';
  TMSFNCCloudBox1.Authentication.Secret := 'your-box-client-secret';
  // Must match a redirect URI registered on the Box app.
  TMSFNCCloudBox1.Authentication.CallBackURL := 'http://127.0.0.1:8000';

  TMSFNCCloudBox1.OnConnected := BoxConnected;
  // Opens the Box consent page in the browser and exchanges the code for tokens.
  TMSFNCCloudBox1.Connect;
end;

procedure TForm1.BoxConnected(Sender: TObject);
begin
  // Tokens are now available on Authentication; safe to call Box operations.
  TMSFNCCloudBox1.GetAccountInfo;
end;

Combining stored tokens with a fresh connect

The access and refresh tokens live on Authentication.AccessToken and Authentication.AccessTokenRefresh. Save them after a successful connect and restore them on the next launch; validate them with TestTokens and only fall back to Connect when the test fails. This combines token reuse with the interactive flow so most launches skip the browser entirely:

procedure TForm1.SaveBoxTokens;
begin
  // Store these securely (e.g. encrypted settings), not in plain text.
  Settings.WriteString('Box', 'AccessToken',
    TMSFNCCloudBox1.Authentication.AccessToken);
  Settings.WriteString('Box', 'RefreshToken',
    TMSFNCCloudBox1.Authentication.AccessTokenRefresh);
end;

procedure TForm1.RestoreBoxTokens;
begin
  TMSFNCCloudBox1.Authentication.AccessToken :=
    Settings.ReadString('Box', 'AccessToken', '');
  TMSFNCCloudBox1.Authentication.AccessTokenRefresh :=
    Settings.ReadString('Box', 'RefreshToken', '');

  // Validate the restored tokens; only call Connect if the test fails.
  TMSFNCCloudBox1.TestTokens(
    procedure(const ARequestResult: TTMSFNCCloudBaseRequestResult)
    begin
      if not ARequestResult.Success then
        TMSFNCCloudBox1.Connect;
    end);
end;
Note

Store tokens securely (encrypted settings, OS keychain) — a refresh token grants ongoing access to the user's Box account.

Common mistakes

  • Mismatched redirect URI. Authentication.CallBackURL must exactly match a redirect URI registered on the Box app, or the consent flow fails.
  • Calling operations before OnConnected. Requests issued before the tokens are in place fail; start them from OnConnected (or after TestTokens succeeds).

See also