According to BOX provider documentationclient_id andclient_secret parameters should be included in body of the request when obtaining an access token, but in current implementation they are encoded as base64 and included in Authorization header.
https://developer.box.com/reference/post-oauth2-token/

Solution is to overridegetClientAuthentication method inBoxApi20 class and returnRequestBodyAuthenticationScheme.instance() from it.

Also BoxApi20 doesn't sign requests correctly. It should be switched to useBearerSignatureAuthorizationRequestHeaderField signature instead of usingBearerSignatureURIQueryParameter. I guess for this, we just need to remove overridengetBearerSignature method from BoxApi20`.

Look at the example of API call
https://developer.box.com/reference/get-metadata-templates-enterprise-securityClassification-6VMVochwUWo-schema/