Javascript code for Box API

I am trying to connect to get token from Box API in JavaScript. I have try by postman tool and get access token, refresh token and using that. My problem is we have a desktop app which needs to communicate with the box API, from what I can tell OAuth which box uses for authorisation, thats difficult to get that situation to work. Is this possible to get access token, refresh token from JavaScript while i have clientId and clinetSecret.

var data = “grant_type=authorization_code&client_id=a88poz4lxvvrc8rt05dfff18kxsrr9bt&client_secret=ODlKo861AeQuHULGCsNOCtdUpFzdz0eA&code=8CRXFOQIGW4xQ1FRBRjZh5IxqGX4FqEt”;

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener(“readystatechange”, function () {
if (this.readyState === 4) {
console.log(this.responseText);
}
});

xhr.open(“POST”, “https://www.box.com/api/oauth2/token”);
xhr.setRequestHeader(“cache-control”, “no-cache”);
xhr.setRequestHeader(“postman-token”, “32367aa0-6b9e-0ff4-2dfe-5413204a2d5a”);
xhr.setRequestHeader(“content-type”, “application/x-www-form-urlencoded”);

xhr.send(data);

It seems that you are interacting directly with Box OAuth API instead of using the Auth0 Box social connection which is fine and from your description it seems to make sense given that you need access to the Box API for more than just end-user authentication. However, with that in mind you may want to consider posting the question in a more general forum like SO which may have more people versed specifically with Box. Nonetheless, have in mind that a Javascript browser-based application is considered an OAuth 2.0 public client because it would not be able to maintain the assigned client secret confidential (the secret would be available in the source code) so what you’re trying to perform does not seem correct.