I’m an admin in our Box Business (not plus) account and have already enabled all the required permissions as outlined in the Box documentation.

I’m trying to impersonate a user using the As-User header, but when I use an OAuth 2.0 access token obtained via the refresh token flow, I consistently receive a 403 Forbidden error.

However, when I use a Developer Token generated directly from the Box Developer Console (UI), the same API call works without issues.
 

What could I be missing here?

Does the Developer Token grant broader permissions compared to tokens obtained via the OAuth 2.0 refresh token flow?

Is there something I need to configure differently during authentication to ensure the correct permissions or context are applied?