Skip to main content
Question

[.NET] Service Account with Editor Permissions Getting Insufficient Scope Error

  • May 22, 2025
  • 3 replies
  • 65 views
C
Forum|alt.badge.img

I am using the Box V2.Core SDK to upload files through the API.  I can successfully authenticate using JWT and read folder information as the service account, but when I attempt to upload a file I get the following error:

"Bearer realm="Service", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token.""

The Service Account is listed as a collaborator with editor permissions on the folder that I'm trying to upload to (my account is the middle co-owner and the service account is the bottom):

BOX1_7HUd_BodPB2kDr6Pu0n02g.png

Here is an example of my code that is producing this error:

var configFilePath = Path.Combine(Directory.GetCurrentDirectory(), "boxconfig.json");
IBoxConfig boxConfig;

await using (var stream = File.OpenRead(configFilePath))
   boxConfig = BoxConfig.CreateFromJsonFile(stream);

var auth = new BoxJWTAuth(boxConfig);
var token = auth.AdminToken();
var client = auth.AdminClient(token);

var request = new BoxFileRequest
{
   Name = "test.jpg",
   Parent = new BoxRequestEntity { Id = <myFolderId> },
};

// this source of a byte[] is just an example
var bytes = await File.ReadAllBytesAsync(<myFilePath>);
await using var stream = new MemoryStream(file);

// this line throws the insufficient_scope error
await client.FilesManager.UploadAsync(request, stream);

What am I missing?  Shouldn't my service account have permission to perform this action?

    3 replies

    C
    Forum|alt.badge.img

    Hi Daren, 

    Happy to try to help. 

    Can I have the client id associated with the application you're having issues with? 

    Thanks, 

    Alex, Box Developer Advocate

    C
    Forum|alt.badge.img

    Hi Alex,

    Thank you for following up.  I was actually able to solve the problem by re-creating the app and re-inviting the new Service Account, though I'm not sure what was preventing it from working correctly originally.  For any future readers, here are all of the steps I had to follow to allow my Service Account to upload to an existing Enterprise folder:

    1. In the developer console, create a new Custom App and select JWT Auth as the method of authentication.
    2. In the app's Configuration tab, set App Access Level to "App + Enterprise Access"
    3. Select any other Actions the app will need to perform under Application Scopes (everything I needed was already selected after changing the above)
    4. Under "Add and Manage Public Keys", generate a new key pair and download the JSON configuration file
    5. Request authorization from enterprise admin to generate a Service Account
    6. Once authorized, copy the Service Account's generated email address as listed under "Service Account Info" in the General Settings tab
    7. Navigate back to the target folder / box location and Manage Collaborators.  Invite the Service Account to collaborate with at least Editor-level permissions.

    After doing all of the above, I was able to authenticate successfully and upload a file to my target folder.  My guess is that my initial app was unintentionally created as a Limited Access App, so even though it was explicitly listed as a Collaborator before, the overall app permission wasn't enough to permit the upload.  A total guess, but either way the above steps should work for anyone in a similar position.

    C
    Forum|alt.badge.img

    Awesome. Thanks for letting me know. Reach back out if you have further issues!

    Terms of ServiceAccessibility statement