Skip to main content

I’m an admin in our Box Business (not plus) account and have already enabled all the required permissions as outlined in the Box documentation.

I’m trying to impersonate a user using the As-User header, but when I use an OAuth 2.0 access token obtained via the refresh token flow, I consistently receive a 403 Forbidden error.

However, when I use a Developer Token generated directly from the Box Developer Console (UI), the same API call works without issues.
 

What could I be missing here?

Does the Developer Token grant broader permissions compared to tokens obtained via the OAuth 2.0 refresh token flow?

Is there something I need to configure differently during authentication to ensure the correct permissions or context are applied?

 



 

 


Reply