Skip to main content
Question

403 Forbidden on dicom import widget uploads

  • May 22, 2025
  • 3 replies
  • 6 views
C
Forum|alt.badge.img

I'm attempting to use the dicom import widget as documented here: https://developer.box.com/guides/embed/box-dicom/#Javascript-SDK

 

Everytime I attempt to upload a file, the browser console says: POST https://api.box.com/2.0/folders 403 (Forbidden)

 

Some background: I created an app and got it approved that can generate it's own access token. I've confirmed the access token exists. Some of the routes I've explored already...

 

The folder I created, I added the app as a co-owner collaborator. Using the API through PHP, I've been able to query the folder and create a sub folder, though I haven't attempted anything deeper.

 

In the app developer console, I've added the domain to the CORs domain in the two following formats: https://subdomain.domain.org/, https://subdomain.domain.org/page.php

 

The access token and the folderID are correct that I'm referencing in the javascript.

 

I attempted to create a whitelist entry via the api, for the domain formatted as 'domain.org' and the direction 'both', but was getting 403 errors as well: https://developer.box.com/reference/post-collaboration-whitelist-entries/

When I formatted the domain as https://subdomain.domain.org/ - I got a 400 error.

 

The error message I get when trying to upload is vague, for all I know, I'm missing a setting in the initializing JS entry. I'm not sure what might be causing the 403 error, but these are some of the avenues I've crossed. Does anyone else think they might be able to help?

    3 replies

    C
    Forum|alt.badge.img

    Hi  , what authentication method are you using? JWT? Standard OAUth 2? It's likely that the access token you are using represents a user that does not have access to the folder, or does not have upload permissions. You can call the `GET /users/me` endpoint to check which user the app represents.

    C
    Forum|alt.badge.img

    Yeah. The app is setup for oauth 2.0 with JWT and has the scopes for read and write all files and folders in box.

     

    Doing  a GET /users/me I get:

     

    Array
(
    [type] => user
    [id] => xxx
    [name] => xxx
    [login] => xxx
    [created_at] => 2020-04-17T12:57:50-07:00
    [modified_at] => 2020-04-17T12:57:50-07:00
    [language] => en
    [timezone] => America/New_York
    [space_amount] => 999999999999999
    [space_used] => 0
    [max_upload_size] => ***phone number removed for privacy***
    [status] => active
    [job_title] => 
    [phone] => 
    [address] => 
    [avatar_url] => xxx
    [notification_email] => Array
        (
        )

)

    I hid the user id, name, login, and avatar, but they're all there. As far as having access to the folder in question, I added the app user as a co-owner and when I use the API through PHP for https://api.box.com/2.0/folders - I can create a new folder in it.

     

    This leads me to believe that my issue is likely specific to the dicom import tool or related to dicom files in general since they seem to go through a bit of a different process in general.

    C
    Forum|alt.badge.img

     Im stumped here as well. If you are part of a paying enterprise then you can open a ticket and our support team might be able to determine the exact error of why your API fails.

    Terms & ConditionsAccessibility statement