Skip to main content
Question

Query regarding Box authentication types & scopes

  • May 21, 2025
  • 4 replies
  • 11 views
C
Forum|alt.badge.img

I have a Box app, which uses OAuth 2.0 for the past one year in order to backup Enterprise user's data. In-order to access each user's data we had taken the 'as-user' permission.

 

After Box has introduced another Authentication flow, I am not sure whether to call my app as a Box Integration or Box Platform?

But after this upgrade on Box, our API requests to access users data had started failing with error 403. Whereas we were able to access admin's data with the same access token. 

 

Then we tried the following change in app settings and the API started to work. We changed:

  1. Authentication Type : Server Authentication (OAuth2.0 with JWT)
  2. Under Scopes -> Enterprise : Select - Manage Enterprise, Manage Users, Manage App Users
  3. Advanced Features : Select Perform actions on behalf of users

We are not using any RSA key pair for authentication. 

Can you please let us know if these settings are correct ? I am not able to find any documentation for the same. 

    4 replies

    C
    Forum|alt.badge.img

     Since you are accessing content from a Box user's account, this is a Box Integration use case. Your previous approach of using OAuth 2.0 and the As-User header is the recommended approach for your use case. 

    C
    Forum|alt.badge.img

    But using the Box integration flow, our APIs are not able to access user's data.  API Key of a sample app: l5ipi8yriew0jzp1on2v4jt2jdelbjn5

    My app already has 'as-user' enabled from your support channel and was working fine for the past 6 months or so. But suddenly the API requests for accessing user's data have started failing with error 403.

     

    Is it a bug at your end ? Can you please confirm this on priority. 

    C
    Forum|alt.badge.img

    Hey Aditya,

    Are you using the and admin / co-admin account to makes these calls?

     

    Best,

    Sanjay

    C
    Forum|alt.badge.img

    We are making REST API calls using access token, with as-user header. 

    API: "https://api.box.com/2.0/folders/{folder_id}/items?.."  is failing when used with following headers,

    headers:{'As-User': u'removed for privacy', 'Content-Type': 'application/json', 'Authorization': 'Bearer ', 'Accept': 'application/json'}

    This API request with exact same headers was working previously.

     

    Can someone please have a quick RCA on this?

    Terms & ConditionsAccessibility statement