Hello,

I’m facing an issue with my application that uses Client Credentials Grant. The app has already been authorized by the organization admin.

I’m able to authenticate successfully using this request:

curl --location 'https://api.box.com/oauth2/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode 'client_id=<CLIENT_ID>' \ --data-urlencode 'client_secret=<CLIENT_SECRET>' \ --data-urlencode 'box_subject_type=enterprise' \ --data-urlencode 'box_subject_id=<ENTERPRISE_ID>'

With the token obtained, I can successfully call the metadata endpoint:

curl --location 'https://api.box.com/2.0/files/<FILE_ID>' \ --header 'authorization: Bearer <TOKEN>'

This returns the file information correctly.

However, when I try to download the file, I get a 403 error with code access_denied_insufficient_permissions:

curl --location 'https://api.box.com/2.0/files/<FILE_ID>/content' \ --header 'authorization: Bearer <TOKEN>'

Additional details:

• I already shared the folder with the service account email as co-owner in the Box web interface.

• All available scopes for the app have been enabled in the developer console (including read/write for files and folders).

• The problem only occurs when downloading the file.

Could anyone clarify why metadata works but downloading fails? Am I missing a specific permission or configuration for Client Credentials apps?

Thanks in advance.