Implementing the Box.com integration: test and production checklist

Practical implementation guide for the Box.com integration (Box Sign on orders), with a checklist for test and production. The numbered steps describe the order; then use the per-environment checklists.

Things to watch

• The JWT app must be authorized in the Box Admin Console (otherwise no token).
• The webhook endpoint Box calls back must be publicly reachable (HMAC-verified).
• Order templates and the order field for the sign-request id are mandatory for a working flow.

Checklist — test environment

• ☐ Box JWT app created (Server Authentication with JWT).
• ☐ Key pair generated: private key (PEM), public key id and passphrase noted.
• ☐ App authorized in the Box Admin Console with the Box Sign scopes.
• ☐ Enterprise ID, client id and client secret noted.
• ☐ Auth screen filled; Request authentication succeeded (Box user visible, folder + webhook created).
• ☐ Folder name, optional as-user, redirect URL and final-copy recipient set.
• ☐ Order template(s) selected + order field for sign-request id chosen.
• ☐ Webhook endpoint publicly reachable.
• ☐ End-to-end tested: order → "request signature" → sign request at customer; signing → status back + signed document in i-Reserve.

Checklist — production environment

• ☐ Production JWT app (or deliberately the same) + production key pair; authorized in the production Admin Console.
• ☐ Webhook endpoint publicly reachable in production (real host/SSL).
• ☐ Real order templates + correct order field for the sign-request id.
• ☐ Final-copy recipient and redirect URL aligned with the customer.
• ☐ First live sign request + webhook callback verified.
• ☐ Rollback known: setting the integration inactive stops new sign requests.