Currently, Box requires developers to use a client secret for OAuth 2.0 apps, which in turn requires standing up and maintaining a backend service just to exchange authorization codes securely.

While this is secure, it creates a huge amount of friction for developers who want to build modern, client-side applications such as single-page apps (SPAs) or mobile apps. In many cases, the only reason a backend exists is to hold a secret, nothing else.

If Box supported PKCE (Proof Key for Code Exchange), developers could authenticate directly from the client without needing a backend at all, just as they can with platforms like Microsoft Entra, Google Identity, and Okta.

This would dramatically reduce time to market, lower costs for developers, and make Box much easier to integrate into modern front-end-first workflows.

Example Scenario

A developer wants to build a React-based file manager using Box APIs.
Under the current model, they must:

1. Deploy a backend to safely store the client secret.
2. Manage hosting, scaling, and security for that backend.
3. Build and maintain the OAuth exchange logic.

With PKCE, none of that is necessary. The developer could securely authenticate directly from the browser, accelerating development and reducing costs.