The permissions or scope of the OAuth 2.0 client determine the user details and resources the application can access and modify. There are two types important groups of permissions that correspond with the type of token generated after authorization. The tokens issued to your application depend on the requested response_type and client permission settings. This article discusses the permissions. For information about the authorization parameters see how to make your first request.


Open ID Connect (ID Token)


The "openid profile email" permission generates an id_token that has details or claims about a user encoded in the token itself. These details are publicly viewable but the token is signed with your client's Private Key so you can verify the authenticity by decoding the token with your client's Public Key. The types of claims available in the decoded token are:


Claim
Description
subUnique User ID / BoxC Account ID
aud
Your Client ID is the audience for this token
email
Registered email address
email_verified
Indicates if the email address has been verified by BoxC
family_name
Surname of the user
given_name
Given name of the user
name
Full name of the user
locale
Language setting
zoneinfo
Timezone setting (TZ database)
exp
Unix timestamp of the token expiration
iss
Identity provider that issued the token (accounts.boxc.com)
iat
Unix timestamp of token creation


API (Access Token)


The remaining permissions from the list affect which API resources your application can access and modify. Some resources like Warehouses and Entry Points are always accessible. The individual permission names on the client settings page provide some insight into what each one does. Having "write" access allows an application to create, update, and delete resources.


The access_token that is generated will not have all of the same claims encoded as the id_token. The types of claims available in the decoded token are:


Claim
Description
sub
Unique User ID / BoxC Account ID
aud
The API resource server is the audience for this token (api.boxc.com)
iss
Resource server that issued the token (accounts.boxc.com)
exp
Unix timestamp of the token expiration
iat
Unix timestamp of token creation
client_id
Your Client ID
scope
A space delimited string of permissions


Consent Screen


The consent screen a user sees when authorizing your application will be different depending on the permissions requested. This screen will appear when requesting permissions for both groups:


Changing your client's permissions causes users to authorize your application again - even if you're downgrading the scope. It will not invalidate existing tokens.