Skip to main content

Hello,

I’m facing an issue with my application that uses Client Credentials Grant. The app has already been authorized by the organization admin.

I’m able to authenticate successfully using this request:

curl --location 'https://api.box.com/oauth2/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode 'client_id=<CLIENT_ID>' \ --data-urlencode 'client_secret=<CLIENT_SECRET>' \ --data-urlencode 'box_subject_type=enterprise' \ --data-urlencode 'box_subject_id=<ENTERPRISE_ID>'

 

With the token obtained, I can successfully call the metadata endpoint:

curl --location 'https://api.box.com/2.0/files/<FILE_ID>' \ --header 'authorization: Bearer <TOKEN>'

 

This returns the file information correctly.

However, when I try to download the file, I get a 403 error with code access_denied_insufficient_permissions:

 

curl --location 'https://api.box.com/2.0/files/<FILE_ID>/content' \ --header 'authorization: Bearer <TOKEN>'

 

Additional details:

  • I already shared the folder with the service account email as co-owner in the Box web interface.

  • All available scopes for the app have been enabled in the developer console (including read/write for files and folders).

  • The problem only occurs when downloading the file.

Could anyone clarify why metadata works but downloading fails? Am I missing a specific permission or configuration for Client Credentials apps?

Thanks in advance.

Be the first to reply!