Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Integrate Box via API

Skyhigh CASB for Box enforces DLP policies across data at rest and in motion to make sure compliance with regulations and internal policies. Skyhigh CASB supports DLP rules based on keywords, data identifiers, user groups, and regular expressions. Enforcement actions include coach users, notify administrator, block, encrypt, quarantine, tombstone, and delete.

You can use pre-built industry templates or create custom policies in Skyhigh CASB, or use policies in an existing on-premises DLP solution.


For Skyhigh CASB to work properly, the following application scopes are required:

  1. Read all files and folders stored in Box. This scope allows Skyhigh CASB to download content from Box to detect policy violations.
  2. Read and write all files and folders stored in Box. This scope allows Skyhigh CASB to remediate the violated content by quarantining or deleting files.
  3. Manage Users. This scope allows Skyhigh CASB to suppress notifications in Box that might be generated when downloading or remediating content.
  4. Manage enterprise properties. This scope allows Skyhigh CASB to read the event logs, required for fetching the Audit Log.

Authentication with Box

Skyhigh CASB supports two authentication models for authenticating with Box and making requests to the REST APIs: standard OAuth 2 and OAuth 2 with JSON Web Tokens (JWT).

IMPORTANT: Migrate to the OAuth 2 with JWT authentication mode, aka Box Service Account, to remove the need to re-enable API access when refresh tokens expire.

Legacy OAuth 2

OAuth 2.0 is a protocol that allows Skyhigh CASB to request a user's authorization to access content to an enterprise Box account. This authentication model follows the standard 3-legged OAuth 2.0 process.

Once authorized, Box provides access and refresh tokens to Skyhigh CASB that are used for making API requests. The access tokens have an expiry time of an hour and on expiration, Skyhigh CASB uses the refresh tokens to fetch new access tokens. The refresh tokens also have an expiration time of 2 months. Upon expiration, the admin needs to reauthorize Skyhigh CASB for continued service.

To authorize Skyhigh CASB access to Box:

  1. Login to Skyhigh CASB and go to Settings > Service Management.
  2. Select your Box instance and click Enable.
  3. Enter the Box login credentials for an Administrator or Co-Admin user account and click Next.
    Box API Creds.png


OAuth 2 with JWT

OAuth 2.0 with JSON Web Tokens allows for server-to-server interactions with the Box API. Instead of authenticating via a user, an application can authenticate directly to Box by generating a JSON Web Token (JWT) verified with an RSA key-pair. This authentication replaces the first leg of the standard 3-legged OAuth process, where the admin user grants an application permission to access the user’s Box account, removing multiple logins and services for users.

In this model, the admin can grant access to Skyhigh CASB by logging into Box and authorizing Skyhigh CASB. Also, this authentication mode doesn’t need refresh tokens, so there is no service disruption as long as Skyhigh CASB is authorized.

To authorize Skyhigh CASB access to Box:

  1. Login to Skyhigh CASB and go to Settings > Service Management.
  2. Select your Box instance and click Enable.
  3. Copy the Skyhigh CASB App ID to the clipboard and click View Box business settings as Admin User.
  4. Login to Box and navigate to Custom Applications.
  5. Click Authorize New App and paste in the App ID copied earlier.
  6. To review the Application scopes and Authorize the application, click Next.
  7. To provide access to Skyhigh CASB, click Authorize
  8. Go to Skyhigh CASB to enter the admin or co-admin user ID that Skyhigh CASB uses to access the application.
  9. To complete the authentication workflow, click Next.
  • Was this article helpful?