Skip to main content
Question

Platform App restrictions

  • July 8, 2026
  • 0 replies
  • 26 views

We created a Box Platform App using JWT server authentication. The app is configured as App Access Only, not App + Enterprise Access, and the authorized scope currently shown is “Read all files and folders stored in Box.”

The JWT token authenticates as the app’s Service Account / Automation User. In our case, the token identifies as:

Name of automation service

E-mail of automation service

What is confusing is that we have not intentionally collaborated that Service Account onto the target folder or any parent folder. The folder and test Excel files were created by my sandbox admin user, not by the Service Account. Despite that, when we call the Box API with the JWT Service Account token and provide the folder ID, the app can list the folder contents and read file/folder metadata.

For example, it can see the folder and files and read metadata such as owner, creator, file name, file ID, permissions, etag, etc. The metadata shows the folder/file is owned and created by my sandbox user, not the Service Account. However, the permissions object shows can_download=false, and calls to GET /2.0/files/{file_id}/content return 403 access_denied_insufficient_permissions.

We attempted to explicitly add the Service Account / Automation User as a collaborator on the target folder. In the Box UI, using Add Users / Invite Collaborators with the AutomationUser email does not work; Box reports that the user is already part of the organization. When we try to create/find that user under users, Box indicates the user already exists, but we cannot locate/select it in the normal user/collaboration UI.

So the question is: in Box terminology, what is the correct mechanism to lock this Platform App / JWT Service Account down to a single folder? Specifically, how do we grant the Service Account access only to one designated inbound folder, while preventing it from being able to enumerate or read metadata from arbitrary folders in the sandbox/enterprise if it is given a folder ID?

We want the final pattern to be least-privilege:

  • Platform App
  • JWT server authentication
  • App Access Only
  • Service Account / Automation User
  • No App + Enterprise Access
  • No administrative scopes
  • Access limited to one inbound folder tree only
  • Ability to list and download files from that folder for an automated import job