This guide covers setting up Hybrid VPC with Box as your storage backend. Reducto uses a Box enterprise application with Client Credentials Grant (CCG) to read and write documents in your Box environment. This integration is ideal for organizations that already manage documents in Box and want to process them with Reducto without moving data to a separate object store.Documentation Index
Fetch the complete documentation index at: https://docs.reducto.ai/llms.txt
Use this file to discover all available pages before exploring further.
Prerequisites
- Box Enterprise account with admin access
- Box Developer Console access for creating custom apps
- Values provided during onboarding from Reducto (Organization ID)
Architecture
Setup
Create a Box Custom Application
- Go to the Box Developer Console
- Click Create New App → Custom App
- Select Server Authentication (Client Credentials Grant) as the authentication method
- Name the app (e.g., “Reducto Integration”)
- Click Create App
Configure app permissions
In the app’s Configuration tab:
- Under Application Scopes, enable:
- Read all files and folders stored in Box
- Write all files and folders stored in Box
- Under App Access Level, select App + Enterprise Access
- Click Save Changes
Authorize the app in Admin Console
- Go to Box Admin Console → Apps → Custom Apps
- Click Add App
- Enter the Client ID from your app’s Configuration tab
- Click Authorize
Create a dedicated folder
Create a folder in Box for Reducto to use:
- In Box, create a new folder (e.g., “Reducto Processing”)
- Note the Folder ID from the URL (e.g.,
https://app.box.com/folder/123456789→ folder ID is123456789) - Ensure the service account (created automatically with your app) has access to this folder
If you want Reducto to access the root of the enterprise, use folder ID
0. For better isolation, we recommend creating a dedicated folder.Share credentials with Reducto
From the app’s Configuration tab, securely share:
| Value | Where to find |
|---|---|
| Client ID | Configuration → OAuth 2.0 Credentials |
| Client Secret | Configuration → OAuth 2.0 Credentials |
| Enterprise ID | General Settings → Enterprise ID (or Admin Console → Account & Billing) |
| Folder ID | URL of the target folder in Box |
Integration Values
| Value | Description |
|---|---|
client_id | Box app OAuth 2.0 Client ID |
client_secret | Box app OAuth 2.0 Client Secret |
enterprise_id | Your Box Enterprise ID |
folder_id | Target folder ID for document storage (use 0 for root) |
How It Works
- Authentication: Reducto authenticates using Client Credentials Grant (CCG) — no user interaction required. The app’s service account gets an access token automatically.
- Document storage: Files are stored in the configured Box folder using the processing key as the filename. Reducto creates, reads, and deletes files as needed during processing.
- Result access: Processing results are written back to Box. You can access them via shared links (similar to presigned URLs) or by browsing the folder in Box.
Data Lifecycle
Box does not have built-in lifecycle expiration like S3 or Azure. To manage data retention:Option 1: Reducto-managed cleanup (recommended)
Option 1: Reducto-managed cleanup (recommended)
Reducto automatically deletes intermediate artifacts after processing completes. Configure the retention period during onboarding.
Option 2: Box retention policies
Option 2: Box retention policies
Box Enterprise supports retention policies that can auto-delete content after a specified period. Set up a retention policy on the Reducto folder.
Option 3: Manual cleanup
Option 3: Manual cleanup
Periodically review and delete files from the Reducto folder. Not recommended for production use.
Security
- No user credentials required: CCG authentication uses app-level credentials, not user passwords
- Scoped access: The app can be restricted to specific folders using Box’s collaboration model
- Enterprise admin approval: The app must be explicitly authorized by a Box admin
- Audit trail: Box provides detailed audit logs of all file access and modifications
- Credential rotation: Client Secret can be rotated in the Box Developer Console without downtime
Limitations
| Limitation | Impact | Mitigation |
|---|---|---|
| No Terraform provider | Setup is manual (not automated via IaC) | Documented step-by-step process above |
| Rate limits | Box API has more aggressive rate limits than S3/Azure | Reducto handles rate limiting and retries automatically |
| File-based API | Box uses file/folder hierarchy, not flat key-value | Reducto maps keys to filenames transparently |
| No native lifecycle expiry | Unlike S3, no automatic per-object TTL | Use Box retention policies or Reducto-managed cleanup |
Troubleshooting
403 Forbidden when accessing files
403 Forbidden when accessing files
Verify that:
- The app is authorized in the Box Admin Console
- The service account has collaborator access to the target folder
- The app scopes include read and write permissions
Rate limit errors (429)
Rate limit errors (429)
Reducto handles rate limiting automatically with exponential backoff. If you see persistent rate limit errors, contact Reducto support — we may need to adjust concurrency settings for your account.
Files not appearing in Box web UI
Files not appearing in Box web UI
Files created by the service account are owned by that account. To view them in the Box web UI, add yourself as a collaborator on the Reducto folder, or use the service account’s credentials to browse.