Skip to main content
The Box resource mounts a Box account at some prefix such as /box/. All operations involve network I/O to the Box v2 HTTP API: /2.0/folders/{id}/items for directories, /2.0/files/{id}/content for content, and multipart upload / /2.0/folders / delete / PUT (rename or move) / copy for writes. Files are served as raw bytes. Both READ and WRITE modes are supported. Box addresses everything by numeric item id, not by path (the account root is folder id 0). Mirage resolves each path to its id by listing folders level by level and caches the path → id mapping, so nested directories cost one API call per level on first access. Box-native documents are decoded to clean JSON on read: .boxnote and .boxcanvas surface as <name>.boxnote.json / <name>.boxcanvas.json, and Box’s Google-Workspace files (.gdoc / .gsheet / .gslides) surface as <name>.<kind>.json with the server-extracted text in body_text.
Box’s .gdoc.json shares the vfs suffix with Google Drive’s, but the payload is different. Box stores these files as Office Open XML (docx / xlsx / pptx) and Mirage reads them through Box’s representations API (extracted_text), returning a small envelope with body_text. Google Drive reads them through Google’s Documents API and returns the full rich Document structure. The gws commands (gws docs documents get and friends) work only on Google mounts: the ids are Google ids, and Box exposes no Docs-style edit API for these files. On a Box mount, use cat ... | jq -r .body_text for the text; for rich reads or edits, mount the file’s Google counterpart via Google Drive.
For credential setup, see the Box Setup guide. The TypeScript packages ship the same backend for Node and the browser, see Box (TypeScript).

Config

Box supports three authentication modes:
  • Developer token (access_token): quickest to try; expires after ~60 minutes and cannot be refreshed programmatically.
  • OAuth2 refresh (client_id + refresh_token, optional client_secret): Box rotates the refresh token on each refresh; supply on_refresh_token_rotated to persist the new one across restarts.
  • Client credentials (client_id + client_secret + enterprise_id): the app authenticates as its own service account; expired tokens are simply re-fetched.
The access token is cached in memory and refreshed ~5 minutes before expiry (refresh and client-credentials modes).

Config Reference

* Provide one of: access_token; client_id + refresh_token; or client_id + client_secret + enterprise_id.

Mount a subfolder

Pass root_folder_id to expose a single Box folder as the mount root instead of the whole account. Every command and FUSE/VFS op is scoped to that folder; paths outside it are unreachable. Folder ids are stable across renames and moves, and are visible in the Box web URL (app.box.com/folder/<id>), so an id-based mount survives reorganization that a path prefix would not.

Cache

The Box resource caches directory listings via IndexCacheStore (24-hour TTL) to hold the path → id mapping and reduce repeated API calls during traversal; file reads go through the standard read cache (caches_reads = True). Writes invalidate the affected listings so subsequent reads see the new state.

Example