Box MCP

Live

OAUTH 2.1

FILE MANAGEMENT

Files & Documents

Box MCP gives agents authenticated file management: search content, read and upload documents, and ask Box AI questions across files the user can access.

  • Per-user credentials: each call uses the actual user's token, never a shared bot.
  • Encrypted per-tenant vault: AES-256, resolved at request time, never in LLM context.
  • Scoped before every call: pre-call scope check, 90-day SIEM-exportable audit chain.
Box MCP
agent · Acme Q3
Run
Find the latest MSA for Acme and summarize the renewal terms.
S
boxmcp_search_files_keyword
94ms
Box agent
Found Acme_MSA_v4.pdf, updated Mar 3. Renewal: auto-renews Jan 1 with 60-day notice, 5% uplift cap, net-45 payment terms.
Sources: 2 files, folder Legal/Contracts
boxmcp
2 files
18:29
Message Claude...

Tools your document agent reaches for on Box, scoped per user.

CALL ANY TOOL
File management end to end: search and browse content, read and upload documents, extract structured data, and check who has access.
boxmcp_search_files_keyword
Search files
Search for files by keyword with metadata filters, file extension filtering, and field selection, mapped to Box's searchForContent API.
Parameters
Name
Type
Required
Description
query
string
Required
The keyword or phrase to search for in file names and content.
ancestor_folder_id
string
Optional
ID of a parent folder to scope the search within.
created_at_range
string
Optional
Filter files by creation date range (ISO 8601 range string).
fields
array
Optional
List of fields to include in the response for each file.
file_extensions
array
Optional
List of file extensions to filter results by.
limit
integer
Optional
Maximum number of files to return.
updated_at_range
string
Optional
Filter files by last updated date range (ISO 8601 range string).
boxmcp_get_file_content
Read file content
boxmcp_list_folder_content_by_folder_id
Browse a folder
boxmcp_upload_file
Upload a file
boxmcp_create_folder
Create a folder
boxmcp_ai_qa_multi_file
Ask Box AI
boxmcp_ai_extract_structured_from_fields
Extract structured data
boxmcp_list_item_collaborations
Check collaborations
Build your Agent
Same auth pattern across LangChain, OpenAI, Anthropic, and Google ADK.
Python · LlamaIndex
import { ScalekitClient } from "@scalekit-sdk/node";
import { createReactAgent } from "@langchain/langgraph/prebuilt";

const sk = new ScalekitClient(env.SCALEKIT_ENV_URL, env.SCALEKIT_CLIENT_ID, env.SCALEKIT_CLIENT_SECRET);

// Box tools scoped to this user
const { tools } = await sk.tools.listScopedTools("user_123", {
  filter: { connectionNames: ["boxmcp"], toolNames: [
    "boxmcp_search_files_keyword",
    "boxmcp_get_file_content",
    "boxmcp_ai_qa_multi_file"] },
  pageSize: 100,
});

const agent = createReactAgent({ llm, tools });
await agent.invoke({ messages: [{ role: "user", content: "Find the latest MSA for Acme and summarize it." }] });
import OpenAI from "openai";
import { ScalekitClient } from "@scalekit-sdk/node";

const sk = new ScalekitClient(env.SCALEKIT_ENV_URL, env.SCALEKIT_CLIENT_ID, env.SCALEKIT_CLIENT_SECRET);
const openai = new OpenAI();

const { tools } = await sk.tools.listScopedTools("user_123", {
  filter: { connectionNames: ["boxmcp"] }, pageSize: 100,
});

const res = await openai.chat.completions.create({
  model: "gpt-5",
  messages: [{ role: "user", content: "What changed between the last two versions of the pricing deck?" }],
  tools,
});

// Execute the tool call with the user's vaulted Box credential
await sk.tools.executeTool(res.choices[0].message.tool_calls[0], "user_123");
import Anthropic from "@anthropic-ai/sdk";
import { ScalekitClient } from "@scalekit-sdk/node";

const sk = new ScalekitClient(env.SCALEKIT_ENV_URL, env.SCALEKIT_CLIENT_ID, env.SCALEKIT_CLIENT_SECRET);
const anthropic = new Anthropic();

const { tools } = await sk.tools.listScopedTools("user_123", {
  filter: { connectionNames: ["boxmcp"] }, pageSize: 100,
});

const msg = await anthropic.messages.create({
  model: "claude-sonnet-5",
  max_tokens: 1024,
  messages: [{ role: "user", content: "Extract the renewal date and contract value from every MSA in Legal." }],
  tools,
});

// Tool call runs with the user's vaulted Box credential
await sk.tools.executeTool(msg.content, "user_123");
import { Agent } from "@google/adk/agents";
import { ScalekitClient } from "@scalekit-sdk/node";

const sk = new ScalekitClient(env.SCALEKIT_ENV_URL, env.SCALEKIT_CLIENT_ID, env.SCALEKIT_CLIENT_SECRET);

const { tools } = await sk.tools.listScopedTools("user_123", {
  filter: { connectionNames: ["boxmcp"] }, pageSize: 100,
});

const agent = new Agent({
  name: "box_document_agent",
  model: "gemini-2.5-pro",
  instruction: "Manage Box files for the signed-in user.",
  tools,
});

await agent.run("Who has access to the Board Materials folder?");
Try these prompts
Copy any prompt into your agent. Each maps directly to a Box tool. Click to copy, paste into your agent, done.
Find and read documents
Copy the prompt
Copied
Find the latest MSA for Acme and summarize the renewal terms.
Copy the prompt
Copied
List everything in the Legal/Contracts folder.
Copy the prompt
Copied
Read the Q2 board memo and pull out the action items.
Ask across files
Copy the prompt
Copied
Compare the last two pricing decks and list what changed.
Copy the prompt
Copied
Extract the renewal date and contract value from every MSA in Legal.
Copy the prompt
Copied
Answer from the vendor security questionnaires: who supports SSO?
Organize and share
Copy the prompt
Copied
Create a folder for the Globex renewal and upload my notes.
Copy the prompt
Copied
Who has access to the Board Materials folder, and at what level?
Copy the prompt
Copied
Upload this summary as acme-renewal-brief.md to Deals/Acme.
SEE HOW AUTH WORKS
Your users connect once. Their Box credentials stay vaulted, every call is scope-checked, and every action is logged.
1
Authorize
Your user connects
Box MCP
once. We tie it to their identity and the meetings they approved — no shared bot account, no org-wide access
Who:
user ‘A’
when:
Once per user
access:
Limited to user
2
Store
Their
Box MCP
token lives in a vault scoped to them. User A's meetings are never reachable by an agent acting for user B, even on the same connection
vault:
encrypted
scope:
per-user
tokens:
auto-refreshed
3
Resolve
When your agent calls a
Box MCP
tool, we fetch the right token server-side. It never touches your agent, never appears in the LLM context, never shows up in your logs
speed:
~40ms
check:
before every call
seen by:
nobody
4
Audit
Every
Box MCP
tool call is logged — who triggered it, which meeting was fetched, what came back. 90 days of history, tied to the user who authorized it
history:
90 days
export:
SIEM-ready
logged:
every call
Test other agents
See the same per-user auth pattern across other file storage connectors.
No items found.
Why Scalekit
Secure your agent's access. Connectors ship in minutes
Other connector libraries treat auth as a demo afterthought. Scalekit starts with identity, scope enforcement, and audit. Connectors follow.
01.
Shared tokens break per-user analytics
A shared Box token looks fine in a demo. In production every upload, move, and folder change looks like one service account, and you cannot tell who touched a contract. Scalekit resolves the credential of the actual user who triggered the agent, never a shared bot.
// shared token
audit → bot_service_account

// scalekit
audit → user_abc ✓
02.
Authentication is not authorization
03.
Multi-tenancy is architectural
04.
Box today. Ten connectors tomorrow.
“Our agents act across Salesforce, Gong, Google Drive, and more, on behalf of every customer. Scalekit behind the scenes meant we can keep adding tools without ever rebuilding how credentials or tool calling work.”
Venu Madhav Kattagoni
Head of Engineering / Von
FAQs
Frequently Asked Questions
Does the agent access Box as the user or through a shared key?
As the user. Scalekit resolves the credential of the person who triggered the agent at request time, so every search, upload, and folder change in your audit trail is attributed to a real user, not a shared service account.
Where is the Box token stored?
In an AES-256 encrypted vault with per-tenant namespacing. Tokens are resolved at request time, never enter LLM context, refresh automatically, and can be revoked from one dashboard.
Can I limit what the agent does in Box?
Yes. Filter by tool name in listScopedTools to expose only what you want, for example search and read without upload, move, or metadata writes. Scalekit also enforces scope checks before every API call.
What happens when a user revokes access?
The credential is invalidated at the next tool call. The call fails closed, other users' connections are unaffected, and the revocation is logged in the audit chain.
Can the agent see files the user cannot access in Box?
No. Because every call runs on the user's own OAuth token, Box enforces that user's existing permissions. Search results, folder listings, and Box AI answers only draw from content the user could already open, and list_item_collaborations shows exactly who else has access.
Start in your coding agent
Up and running in one command
Install the Scalekit skill in your editor of choice. Connector, auth, tools, prompt, all wired up
Claude Code REPL
/plugin marketplace add scalekit-inc/claude-code-authstack
/plugin install agentkit@scalekit-auth-stack
Cursor Code REPL
# ~/.cursor/mcp.json
{
""mcpServers"": {
""boxmcp"": {
""url"": ""https://mcp.scalekit.com/boxmcp"",
""headers"": { ""Authorization"": ""Bearer $SCALEKIT_TOKEN"" }
}
}
}
Codex Code REPL
# ~/.codex/config.toml
[mcp_servers.boxmcp]
url = ""https://mcp.scalekit.com/boxmcp""
auth_env = ""SCALEKIT_TOKEN""
Copilot Code REPL
# .vscode/mcp.json
{
""servers"": {
""boxmcp"": {
""url"": ""https://mcp.scalekit.com/boxmcp"",
""type"": ""http""
}
}
}