The Box MCP Proxy supports multiple token storage methods for enhanced security.

Set the TOKEN_STORAGE_TYPE environment variable to choose your storage method:

export TOKEN_STORAGE_TYPE="keyring"

• Stores tokens in OS keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service)
• Tokens are encrypted by the OS and require authentication to access
• Most secure option for persistent storage
• Requires keyring package: pip install keyring

export TOKEN_STORAGE_TYPE="memory"

• Stores tokens only in memory during runtime
• Maximum security - no persistent storage
• Requires re-authentication on every restart
• Ideal for high-security environments

export TOKEN_STORAGE_TYPE="encrypted"

• Encrypts tokens using system-derived key before storing to file
• Better than plaintext but key derivation is visible to local users
• Requires cryptography package: pip install cryptography
• File stored at location specified by TOKEN_FILE

export TOKEN_STORAGE_TYPE="plaintext"

• Stores tokens in plain JSON file
• Only recommended for development/testing
• File permissions set to 600 (owner read/write only)

1. Use keyring storage for production deployments
2. Set restrictive environment variable permissions
3. Regularly rotate Box app credentials
4. Monitor access logs for unauthorized usage
5. Use memory storage for maximum security in sensitive environments

To migrate between storage types:

1. Set new TOKEN_STORAGE_TYPE
2. Restart the proxy (will require re-authentication)
3. Delete old token files if switching from file-based storage