boxadm-mcp
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| BOX_API_BASE | No | API base URL (default https://api.box.com) | |
| BOX_AUTH_MODE | No | oauth or ccg (default ccg) | |
| BOX_CLIENT_ID | Yes | App Client ID | |
| BOX_TOKEN_CACHE | No | OAuth token cache path (default ~/.config/boxadm-mcp/token.json) | |
| BOX_CLIENT_SECRET | Yes | App Client Secret | |
| BOX_ENTERPRISE_ID | No | Enterprise ID (required for ccg mode) | |
| BOX_ALLOWED_DOMAINS | Yes | Internal email domains (comma-separated) | |
| BOX_OAUTH_REDIRECT_URI | No | OAuth redirect URI (default http://localhost:8787/callback) |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": false
} |
| prompts | {
"listChanged": false
} |
| resources | {
"subscribe": false,
"listChanged": false
} |
| experimental | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| health_checkA | Report server version, Box connectivity/auth, and configuration. Call this at session start (or after a tool-call timeout) to confirm the MCP
is up, see which version is running, verify the Box enterprise token can be
obtained (CCG) and that the Always returns the same keys: |
| recent_admin_eventsA | Fetch recent enterprise Diagnostic/starter tool: returns Box events verbatim so the real event types and field shapes can be confirmed before analytics tools are layered on. For external-sharing work the event types of interest are typically COLLABORATION_INVITE / COLLAB_ADD_COLLABORATOR, SHARED_LINK_CREATED / ITEM_SHARED_CREATE, and DOWNLOAD / PREVIEW. Args:
event_types: Comma-separated Box event_type filter (empty = all types).
since_hours: Look-back window in hours (default 24).
limit: Max events to return in this page (default 100).
stream_position: Continue a previous page by passing back the
|
| external_access_eventsA | Surface external file access (DOWNLOAD / PREVIEW) from enterprise admin_logs. Enterprise-wide (events stream): over the window, flags each access whose
actor ( Args:
since_hours: Look-back window in hours (default 24).
max_events: Cap on DOWNLOAD/PREVIEW events scanned (default 5000); the
result's Returns Notes:
|
| external_collaboratorsA | List external collaborators on Box folders (current state, enumeration). Walks folders the authenticating co-admin user can see (default from the root "All Files") and reports collaborations whose collaborator is outside the org domain allowlist — accepted external users or pending external invites. Useful to review who outside the organization has standing access. Args:
root_folder_id: Folder to start from ("0" = the user's root).
max_folders: Cap on folders visited (default 150); Coverage note: limited to content the co-admin user can access (not provably
100% of the enterprise) and to the depth/folders caps. Returns
|
| public_shared_linksA | List items with an open ("anyone with the link") shared link (enumeration). Walks folders the authenticating co-admin user can see and reports files and
folders whose shared link access is Args:
root_folder_id: Folder to start from ("0" = the user's root).
max_folders: Cap on folders visited (default 150); Coverage note: limited to content the co-admin user can access and to the
caps. Returns |
| top_external_sharersA | Rank internal owners by their external exposure (enumeration). One traversal (same as external_collaborators / public_shared_links), then ranks internal file/folder owners by how much external exposure they hold: external collaborations + open shared links on content they own. Surfaces the people whose content is most exposed outside the organization. Args: root_folder_id / max_folders / max_depth: traversal bounds (see external_collaborators). top: How many owners to return (default 20). Coverage note: limited to the co-admin user's visible content and the caps.
Returns |
| daily_briefA | Morning DLP brief: external access (events) + external-sharing state (enumeration). One call that combines:
Reuses the cached folder scan, so calling this alongside the other enumeration
tools doesn't re-walk. Args mirror the underlying tools; |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/shigechika/boxadm-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server