ConductorOne · robert-chiniquy · Feb 8, 2026 · Feb 14, 2026 · Feb 18, 2026
diff --git a/cmd/baton-box/main.go b/cmd/baton-box/main.go
@@ -44,7 +44,7 @@ func main() {
 func getConnector(ctx context.Context, c *cfg.Box) (types.ConnectorServer, error) {
 	l := ctxzap.Extract(ctx)
 
-	cb, err := connector.New(ctx, c.BoxClientId, c.BoxClientSecret, c.EnterpriseId)
+	cb, err := connector.New(ctx, c.BoxClientId, c.BoxClientSecret, c.EnterpriseId, c.BaseUrl)
 	if err != nil {
 		l.Error("error creating box connector", zap.Error(err))
 		return nil, err

diff --git a/pkg/box/client.go b/pkg/box/client.go
@@ -17,13 +17,14 @@
 type Client struct {
 	httpClient *http.Client
 	token      string
+	baseURL    string
 }
 
 const (
-	baseUrl       = "https://api.box.com"
-	defaultOffset = 0
-	defaultLimit  = 200
-	errorType     = "error"
+	defaultBaseURL = "https://api.box.com"
+	defaultOffset  = 0
+	defaultLimit   = 200
+	errorType      = "error"
 )
 
 type paginationData struct {
@@ -44,10 +45,14 @@
 	Status    int64  `json:"status"`
 }
 
-func NewClient(httpClient *http.Client, token string) *Client {
+func NewClient(httpClient *http.Client, token string, baseURL string) *Client {
+	if baseURL == "" {
+		baseURL = defaultBaseURL
+	}
 	return &Client{
 		httpClient: httpClient,
 		token:      token,
+		baseURL:    baseURL,
 	}
 }
 
@@ -63,12 +68,15 @@
 }
 
 // RequestAccessToken creates bearer token needed to use the Box API.
-func RequestAccessToken(ctx context.Context, clientID string, clientSecret string, enterpriseId string) (string, error) {
+func RequestAccessToken(ctx context.Context, clientID string, clientSecret string, enterpriseId string, baseURL string) (string, error) {
+	if baseURL == "" {
+		baseURL = defaultBaseURL
+	}
 	httpClient, err := uhttp.NewClient(ctx, uhttp.WithLogger(true, ctxzap.Extract(ctx)))
 	if err != nil {
 		return "", err
 	}
-	authUrl := fmt.Sprint(baseUrl, "/oauth2/token")
+	authUrl := fmt.Sprint(baseURL, "/oauth2/token")
 	data := url.Values{}
 	data.Add("client_id", clientID)
 	data.Add("client_secret", clientSecret)
@@ -84,7 +92,7 @@
 	req.Header.Add("accept", "application/json")
 	req.Header.Add("content-type", "application/x-www-form-urlencoded")

 	resp, err := httpClient.Do(req)
 	if err != nil {
 		return "", err
 	}
@@ -99,7 +107,7 @@
 	}

 	var res struct {
 		AccessToken string `json:"access_token"`
 	}

 	if err := json.NewDecoder(resp.Body).Decode(&res); err != nil {
@@ -113,7 +121,7 @@
 	var allUsers []User
 	offset := defaultOffset
 	totalReturned := 0
-	usersUrl := fmt.Sprint(baseUrl, "/2.0/users")
+	usersUrl := fmt.Sprint(c.baseURL, "/2.0/users")
 
 	var res struct {
 		paginationData
@@ -149,7 +157,7 @@
 	var allGroups []Group
 	offset := defaultOffset
 	totalReturned := 0
-	usersUrl := fmt.Sprint(baseUrl, "/2.0/groups")
+	usersUrl := fmt.Sprint(c.baseURL, "/2.0/groups")
 
 	var res struct {
 		paginationData
@@ -185,7 +193,7 @@
 	var allGroupMemberships []GroupMembership
 	offset := defaultOffset
 	totalReturned := 0
-	usersUrl := fmt.Sprintf("%s/2.0/groups/%s/memberships", baseUrl, groupId)
+	usersUrl := fmt.Sprintf("%s/2.0/groups/%s/memberships", c.baseURL, groupId)
 
 	var res struct {
 		paginationData
@@ -216,7 +224,7 @@
 
 // GetCurrentUserWithEnterprise returns current user with enterprise data.
 func (c *Client) GetCurrentUserWithEnterprise(ctx context.Context) (User, error) {
-	usersUrl := fmt.Sprint(baseUrl, "/2.0/users/me")
+	usersUrl := fmt.Sprint(c.baseURL, "/2.0/users/me")
 	params := url.Values{}
 	params.Set("fields", "enterprise,role,name")
 
@@ -233,7 +241,7 @@
 
 // GetGroup returns Box group details.
 func (c *Client) GetGroup(ctx context.Context, groupId string) (Group, error) {
-	usersUrl := fmt.Sprint(baseUrl, "/2.0/groups/", groupId)
+	usersUrl := fmt.Sprint(c.baseURL, "/2.0/groups/", groupId)
 
 	var res Group
 	params := url.Values{}
@@ -262,7 +270,7 @@
 	req.Header.Add("accept", "application/json")
 	req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", c.token))

 	resp, err := c.httpClient.Do(req)
 	if err != nil {
 		return err
 	}

diff --git a/pkg/config/conf.gen.go b/pkg/config/conf.gen.go
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -23,11 +23,18 @@ var (
 		field.WithDescription("ID of your Box enterprise."),
 		field.WithRequired(true),
 	)
+	BaseURLField = field.StringField(
+		"base-url",
+		field.WithDescription("Override the Box API URL (for testing or enterprise deployments)"),
+		field.WithHidden(true),
+		field.WithExportTarget(field.ExportTargetCLIOnly),
+	)
 )
 
 //go:generate go run ./gen
 var Config = field.NewConfiguration([]field.SchemaField{
 	ClientID,
 	ClientSecret,
 	EnterpriseID,
+	BaseURLField,
 })
diff --git a/pkg/connector/connector.go b/pkg/connector/connector.go
@@ -45,19 +45,19 @@ type Box struct {
 	client *box.Client
 }
 
-func New(ctx context.Context, clientId string, clientSecret string, enterpriseId string) (*Box, error) {
+func New(ctx context.Context, clientId string, clientSecret string, enterpriseId string, baseURL string) (*Box, error) {
 	httpClient, err := uhttp.NewClient(ctx, uhttp.WithLogger(true, ctxzap.Extract(ctx)))
 	if err != nil {
 		return nil, err
 	}
 
-	token, err := box.RequestAccessToken(ctx, clientId, clientSecret, enterpriseId)
+	token, err := box.RequestAccessToken(ctx, clientId, clientSecret, enterpriseId, baseURL)
 	if err != nil {
 		return nil, fmt.Errorf("box-connector: failed to get token: %w", err)
 	}
 
 	return &Box{
-		client: box.NewClient(httpClient, token),
+		client: box.NewClient(httpClient, token, baseURL),
 	}, nil
 }