Box oauth2: Invalid grant_type parameter or parameter missing

I was facing a similar issue.

  • The problem is not with Content-Type.
  • The issue is with the lifecycle of code you receive.

One key aspect not mentioned in most places is that the code you get on redirect lasts only 30 seconds.

To get the access token and refresh token, you have to make the post request in 30 seconds or less.

If you fail to do that, you get the stated error. I found the info here.

Below code worked for me. Keep in mind, the 30-second rule.

import requests

url = 'https://api.box.com/oauth2/token'

data = [
    ('grant_type', 'authorization_code'),
    ('client_id', 'YOUR_CLIENT_ID'),
    ('client_secret', 'YOUR_CLIENT_SECRET'),
    ('code', 'XXXXXX'),
]

response = requests.post(url, data=data)

print(response.content)

Hope that helps.


Looks like Box requires a correct Content-Type: application/x-www-form-urlencoded request header in addition to properly URL encoding the parameters. The same seems to apply to refresh and revoke requests.

Also, per RFC 6749, the redirect_uri is only

REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.