A Box MCP server lets an AI agent reach into your enterprise content — search across files, run multi-file analysis and extract metadata — while Box keeps its own permissions and governance in force. It's one of the cleaner "connect the AI to the document store" stories of 2026 because Box hosts the endpoint for you. Here's how to wire it up.
Option A — Box's hosted endpoint (recommended)
Box runs MCP at a single hosted URL, https://mcp.box.com. You don't run Box's server yourself for the standard integration — you point a client or agent platform at that endpoint and authorise over OAuth. In Claude, add it as a custom remote connector, complete the Box login, and the agent inherits your Box permissions: it can only see what your account can see.
The hosted server supports secure connections from Claude, Microsoft Copilot Studio, Azure API Center and Mistral Le Chat, with more platforms landing through 2026 (it shipped into the watsonx Orchestrate catalog in May). Because access flows through Box's own authorization, enterprise governance and audit policies still apply to every call.
Option B — open-source self-host
If you need the server inside your own boundary, the community box-community/mcp-server-box project runs locally against the Box API. You authenticate with a Box developer token or a JWT/OAuth app, then drop it into your client config as a stdio server. This route trades Box's managed hosting for full control over where the process runs — useful when policy forbids third-party remote connectors.
What you can ask
The headline jobs are retrieval and synthesis: "find the latest signed MSA for this customer," "summarise every spec in this folder," or "pull the contract value and renewal date from these PDFs." Advanced search and metadata extraction across many files give the agent the context it needs without you hand-feeding documents.
Scope it safely
Content stores are full of sensitive material, so the safest posture is read-first. Grant the connector read scopes, lean on Box's existing folder permissions rather than widening them for the AI, and keep write or move actions behind explicit human approval. Treat the OAuth grant as high-privilege and review exactly which content roots it can reach. See MCP security best practices, MCP permission scoping patterns and how to vet MCP servers.
Going further
Box pairs well with the rest of a knowledge stack — see Google Drive MCP setup, Confluence MCP setup and the knowledge category. For retrieval over your own corpus, read vector memory for AI agents, or grab a ready loadout.