I’m an admin in our Box Business (not plus) account and have already enabled all the required permissions as outlined in the Box documentation.
I’m trying to impersonate a user using the As-User header, but when I use an OAuth 2.0 access token obtained via the refresh token flow, I consistently receive a 403 Forbidden error.
However, when I use a Developer Token generated directly from the Box Developer Console (UI), the same API call works without issues.
What could I be missing here?
Does the Developer Token grant broader permissions compared to tokens obtained via the OAuth 2.0 refresh token flow?
Is there something I need to configure differently during authentication to ensure the correct permissions or context are applied?
