At present, when rclone connects to box, it uses a developer (bearer) access_token, and refresh_token to generate a new access_token when it expires. This is great, if what you want is to use rclone to access your personal box account, with unrestricted access. Things are a little different, if rclone is going to be run on a server, as a service account, that maybe you want to have restricted access…
If you browse to https://developer.box.com, login to the console, and go to Create New App > Custom > OAuth 2.0 with JWT > (enter a name), then it presents you with a temporary developer access_token (just ignore that for now). You can then browse to your app, Configuration. At the top, it has authentication methods for the developer, but if you scroll down, you can restrict the access of the app, and generate an RSA key for the app to use for authentication.
By default, even with the “all files and folders in box” checkbox selected, the app has no access to anything at all, whereas authenticating as the developer you have full access to everything. As the developer, you can query the API for app_user.id, which is of the form “AppUser_xxxxxxxxxxx@boxdev…”. Then, as yourself, you can share a folder with that user, as if it were some other box user.
For service accounts running on servers, this is highly desirable compared to using the developer access_token. The only change that rclone needs in order to support it, is to have the ability to authenticate to the box api with application RSA key instead of using the developer access_token. (And some sugar to make it easy for sysadmins to figure out how to generate the application credentials, or decide which authentication method is better for their usage).
As always, thanks for this wonderful tool.