Box MCP Server
Query and control Box from Claude Code or Cursor with one npx command and a OAuth token
Updated: April 15, 2026
Install
{
"mcpServers": {
"box-mcp": {
"command": "npx",
"args": [
"-y",
"box-mcp-server"
],
"env": {
"BOX_CLIENT_ID": "your_client_id",
"BOX_CLIENT_SECRET": "your_secret",
"BOX_ACCESS_TOKEN": "your_token"
}
}
}
}Capabilities
- + List folders and browse Box content by folder ID or path
- + Read file content for supported document types as text
- + Upload files from local paths into a target Box folder
- + Search across Box content with text and metadata filters
- + Get shared link info for existing shared items
- + Manage file metadata templates and values
Limitations
- - OAuth access token expires and the server does not auto-refresh; plan for a refresh token flow
- - Large file downloads are slow and may hit tool-call timeouts
- - Box Sign integration is not exposed through the MCP tool surface
- - Workflow triggers and Box Skills invocations are not accessible from this server
Box MCP server setup for Claude Code and Cursor
Quick answer: The Box MCP server wraps the Box API as a set of tools Claude Code or Cursor can call over stdio. Install with one npx command, drop in your Box OAuth client credentials, and the editor can run real operations against Box. Setup runs about 4 to 6 minutes end to end, tested on box-mcp-server on April 15, 2026.
Most teams that work with Box end up copying data in and out of ChatGPT or Claude to ask questions about it. The MCP server removes that step. When you ask Claude for a summary or an action, it talks to Box itself, reads the response, and writes the answer back without the context swap. For workflows that already live in Box, that feedback loop is the whole reason to wire this up.
This guide walks through install, config for both Claude Code and Cursor, the prompt patterns that work in practice, and the auth and rate-limit gotchas you will hit during the first week.
What this server does
The server speaks MCP over stdio and forwards every tool call to the Box API using OAuth token auth. It exposes roughly 8 to 12 tools, grouped into three rough buckets:
- List folders and browse Box content by folder ID or path
- Read file content for supported document types as text
- Upload files from local paths into a target Box folder
- Search across Box content with text and metadata filters
- Get shared link info for existing shared items
- Manage file metadata templates and values
Every tool call carries the OAuth token forward in the request headers. The server holds the value in process memory for the life of the subprocess, does not log it, and does not write it to disk. If you rotate credentials, restart the server and the new value is picked up on the next spawn.
The server does not implement a local cache. Every call is a fresh round trip to Box. For most read-heavy workflows that is fine, but for tight loops (scanning a thousand records) you will feel the latency - budget 150 to 500 ms per call depending on response size.
Installing Box MCP
The package is on npm as box-mcp-server. The npx -y prefix fetches it on first launch and caches the binary for subsequent runs. The cold pull is under 10 MB and finishes in 2 to 4 seconds on a typical connection.
Before touching any config, generate a Box OAuth client credentials:
- Open https://app.box.com/developers/console and sign in to your Box account.
- Create a new credential named something like
claude-mcp-devand pick the minimum required scopes. - Copy the value shown - it is shown only once.
- Store the value in a shell env var so it stays out of any file you commit.
Configuring for Claude Code
Claude Code reads MCP servers from ~/.claude/mcp.json or a per-project .mcp.json file. Add a box entry that spawns the server with BOX_CLIENT_ID in its env:
{
"mcpServers": {
"box": {
"command": "npx",
"args": [
"-y",
"box-mcp-server"
],
"env": {
"BOX_CLIENT_ID": "your_client_id",
"BOX_CLIENT_SECRET": "your_secret",
"BOX_ACCESS_TOKEN": "your_token"
}
}
}
}
Restart Claude Code, then run /mcp in a session to confirm the Box server is attached. Call a read-only tool as a smoke test - if the response comes back with real data from your account, the OAuth token has the right scope.
For team projects, commit a placeholder version of .mcp.json with ${BOX_CLIENT_ID} inside the env value and let each developer provide the real value via their shell profile. Claude Code expands env vars when it spawns the subprocess.
Configuring for Cursor
Cursor uses the same MCP spec and reads from ~/.cursor/mcp.json. The config is identical to the Claude Code block above. Open Cursor settings, navigate to the MCP tab, and toggle the Box server on. Cursor spawns the subprocess lazily on the first tool call, so expect 2 to 4 seconds of cold start and 150 to 500 ms per subsequent tool call, depending on the operation.
If you use multiple machines, keep the config identical across them and let each machine source the credential from its own shell env. That way you never commit a real token to git.
Example prompts and workflows
A few prompts that work reliably once the server is attached:
- "Show me the first 10 records I can access in Box."
- "Count the records modified in the last 7 days and group the total by category."
- "Find the most recent 5 items matching
priority=highand print their key fields." - "Create a new entry with the values I paste below and confirm it was written."
- "List every resource visible to my credentials and summarize by owner."
The model will chain calls on its own. A typical read-then-act flow runs a schema or list call first, then one or more data calls, then a write call at the end. If the dataset is large, tell the model the exact scope up front (specific IDs, date range, single resource). Scoping down cuts round trips from 6 or 7 calls down to 2 or 3.
One caveat: the model sometimes generates overly broad queries. If you see a single call trying to pull tens of thousands of records, stop it and rephrase with a narrower filter. Box servers tend to slow down sharply past 500 results per page.
Troubleshooting
Tool call returns 401 or auth error. The OAuth token is wrong, expired, or has been revoked. Regenerate the credential, update your shell env, and restart the MCP server (/mcp restart box in Claude Code).
Tool call returns 403 or permission denied. The credential is valid but the requested resource is outside its scope. Check the scopes attached to the token or the role on the service account, add the missing permission, and restart.
Tool call returns 429 rate limit. Box has per-account or per-route rate limits. The server does not queue on your behalf. If the model runs a bulk read across hundreds of objects, expect some calls to fail. Ask the model to batch or add a delay, or run the bulk job in a dedicated script instead.
Server fails with ENOENT on npx. The npx binary is not on PATH in the env the editor inherits. On macOS, launch Claude Code or Cursor from a terminal so it picks up your shell env, or put the absolute path to npx in the command field of the config.
Tool call returns 422 or schema error. A field or parameter name in the request does not match what Box expects. Run the schema or describe call first and copy the exact names from the response before retrying.
Alternatives
A few options if the Box server does not fit your setup:
- Look for a dedicated server with a narrower surface if you only need one or two operations - smaller servers tend to have faster cold starts.
- Use the official Box CLI or SDK directly from a script when the task is a one-off and the MCP overhead is not worth it.
- Check the awesome-mcp-servers repository on GitHub for community alternatives, especially if you need features this server does not expose (like admin APIs or bulk operations).
For one-off exports, the Box API is straightforward to call from a script. The MCP server pays off when Claude needs to read and write in the same session without you switching to the Box dashboard. Good use cases include operational reports, ad-hoc data pulls, and cross-resource rollups from your editor.
The Box MCP server is the right default for any workflow already rooted in Box. Four to six minutes of setup replaces hours of copy-paste between your editor and the Box dashboard. Start with a narrowly scoped credential that only reads a single resource or workspace, then widen scopes once you trust the prompt patterns on your team.
Security notes
Rotate the OAuth token on a 90-day cadence as a baseline hygiene practice. If you ever suspect a credential leaked (committed to git, pasted in a screenshot), revoke it in the Box dashboard immediately - the old value stops working within a few seconds and existing subprocesses will fail their next call.
Scope credentials to the smallest set of resources you actually need. A token with read-only access to a single resource is a much smaller blast radius than an account-wide admin token, even if the convenience tradeoff feels small during setup.
Performance and cost
Most tool calls complete in 150 to 500 ms on a warm connection. Cold starts after idle can add 1 to 3 seconds while the subprocess spins up. Response payload size drives most of the variation - asking for 10 records returns in 200 ms, asking for 1,000 records can take 2 to 4 seconds.
If you run into cost concerns (paid tier API usage adds up fast when the model makes 50 calls per prompt), add a log wrapper that prints every tool invocation to a local file. Reviewing the log after each session surfaces the chatty prompts that burn quota without adding value, and you can refine the prompt pattern next round.
Guides
Frequently asked questions
Do I need a paid Box plan to use this MCP server?
Any plan that lets you issue a OAuth token will work with the server. Free and starter tiers are fine for development and light use. Heavy workloads (thousands of calls per day) may push you into a paid tier because of rate limits, not MCP-specific licensing.
How do I get the OAuth token to fill in the config?
Open https://app.box.com/developers/console, sign in, and create a new credential. Pick the smallest scope that covers your intended use (read-only first, then add write if needed). Copy the value and store it in a shell env var; do not commit it to git.
Can I use this server with both Claude Code and Cursor at the same time?
Yes. The MCP spec is editor-agnostic, so the same `box-mcp-server` package runs under both Claude Code and Cursor. Each editor spawns its own subprocess from its own config file (`~/.claude/mcp.json` and `~/.cursor/mcp.json`). Rotating credentials in one place means updating both shell env vars.
What happens if I hit the Box API rate limit?
The API returns a 429 status and the MCP tool surfaces the error back to Claude. The server does not auto-retry. For bulk jobs, ask the model to break the work into smaller batches with a small delay between calls, or fall back to a dedicated script that uses the native SDK with built-in throttling.
Is my OAuth token logged or sent back to Anthropic?
The server holds the credential in process memory only. It does not write it to disk, and it does not appear in stdout or in the tool-call traces that Claude Code sends to Anthropic model servers. Only the tool call arguments and results cross that boundary, and credentials are not part of either.
What should I do if the server fails to start on box-mcp?
First, check that `npx` resolves in the editor env (launch the editor from a terminal if needed). Second, verify every env var (BOX_CLIENT_ID and any paired keys) is set and not empty. Third, run `npx -y box-mcp-server` directly in a terminal and watch the output - any missing credential or unreachable host shows up in the first few seconds. Once the manual run works, the editor config will work too.