Hello,
I’m facing an issue with my application that uses Client Credentials Grant. The app has already been authorized by the organization admin.
I’m able to authenticate successfully using this request:
curl --location 'https://api.box.com/oauth2/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode 'client_id=<CLIENT_ID>' \ --data-urlencode 'client_secret=<CLIENT_SECRET>' \ --data-urlencode 'box_subject_type=enterprise' \ --data-urlencode 'box_subject_id=<ENTERPRISE_ID>'
With the token obtained, I can successfully call the metadata endpoint:
curl --location 'https://api.box.com/2.0/files/<FILE_ID>' \ --header 'authorization: Bearer <TOKEN>'
This returns the file information correctly.
However, when I try to download the file, I get a 403 error with code access_denied_insufficient_permissions
:
curl --location 'https://api.box.com/2.0/files/<FILE_ID>/content' \ --header 'authorization: Bearer <TOKEN>'
Additional details:
-
I already shared the folder with the service account email as co-owner in the Box web interface.
-
All available scopes for the app have been enabled in the developer console (including read/write for files and folders).
-
The problem only occurs when downloading the file.

Could anyone clarify why metadata works but downloading fails? Am I missing a specific permission or configuration for Client Credentials apps?
Thanks in advance.