Skip to main content
Question

JWT Service Account?

  • May 21, 2025
  • 3 replies
  • 90 views
C
Forum|alt.badge.img

I'm new to developing on the Box platform so apologies if my question comes across as silly, but after about a frustrating week of trying to get going with some python script, it looks like I've been going about this all wrong.  I've tried both standard Oauth 2 and Oauth 2 with JWT and can successfully get tokens in both cases, but can't do much of anything beyond that.

 

Long story short, I'm really just trying to creat an app that can read files and folders on our Box platform and download information on them, and who they are shared with (file ACL's).  In the case of using JWT server-to-server authentication, I generate my access tokens, create an app user and get the access token of my app user, but I kept getting a 403 error when trying to access a known folder on box.

 

Reading through the documentation as I have been this whole time, I missed this: "An App User access token can only access content from its own account" from https://developer.box.com/docs/service-account.

I must have missed something: How do you create a service account?  How does one go about connect using JWT server-to-server to get information on files and folders?

    3 replies

    C
    Forum|alt.badge.img

    Hello ,

    The service account or the app account do not have unlimited access to everything unless you request it to be enabled to box personnel. The other option is to use the AS-USER property to emulate them but it is only recommended for development. 

     

    I understand that the 403 error you receive is because you have not added the app user to the folder you are trying to access. So, the first thing to avoid receiving the error is to add the user as you would do with a named user.

     

    Regards 

    C
    Forum|alt.badge.img

    Hi,

     

    Thanks for responding LoCortes: It looks like my problem was just the order in which I was going about getting information off the platfoorm and a lack of understanding how it's setup, or how it works.

     

    My thinking was something like this:

    1. Generate JWT using enterprise id
    2. Use JWT to get access token
    3. Create App User
    4. Get access token for App User
    5. Get folder info on known folder (owned by me) using app user token

     

    This doesn't work.

     

    I found this artile today, which gave me a clue as to the right away to go about this: 

    https://community.box.com/t5/Box-Developer-Forum/Content-API-Question-File-ID-is-available-but-Cannot-Download-it/td-p/21260

     

    This process is from the linked doc above:

     

    1. Generate JWT using my Enterprise ID
    2. Use this JWT to send a post request to Box API 'https://api.box.com/oauth2/token' to get Enterprise Access Token
    3. Use https://api.box.com/2.0/users -H "Authorization: Bearer EnterprisAccessToken" to get user_id
    4.Generate JWT using my user_id
    5. Use new JWT to get User Access Token
    6. Use User Access Token to download my file

     

    THIS is the right order of things.  Based on that, I was able to sort out the logic in my app and rework my functions.  I'm getting data now.

     

    Thanks!

    C
    Forum|alt.badge.img

    Felt compelled to give you some feedback (despite the fact this post 4 years old).

    Service Accounts are generated with an Authorized App within the Box Dev Console.
    https://developer.box.com/guides/authentication/user-types/service-account/

    Once you have that, you establish a design in your app to authenticate with the Service Account and perform various functions. Mostly it's for provisioning App Users. Once AppUsers are created the same service account generates access tokens on demand for the AppUsers via their BoxID. You can then display things like UIElemens etc showing these AppUsers their own content. The Service Account can also perform other functions based on the App's defined scope.

    Terms of ServiceAccessibility statement