Generate a User Access Token with cURL/PHP

Go to solution
New Contributor

Generate a User Access Token with cURL/PHP

Hey all, Im in need of some help here

Im developing some features for a company intranet, this company uses Box with its employees for file sharing and storage.

What its needed


- users will have a widget inside the intranet to browse and download and upload files to their Box account (all managed accounts, already created and being used)
- since users are already logged in the intranet, they should not have to log in to Box or have to authorize it manually

Reading the docs, I figure what I need to do is to create an app with JWT auth and "Generate user access tokens" set to true, then I can use the generated access token to display a Box Content Explorer and a Box Content Uploader to the user to manage files from his account inside the intranet. This is possible, right?

Thing is, the backend is in PHP (the intranet is built in Wordpress), so no official SDK and the examples and docs are lacking

What I have to do, from what I understand:

1- authenticate with JWT (to that I can follow this helpful guide which even has PHP examples to get an access token
2- make an API call to find the Box user by his/her email, so I can get the user Box ID
3- make a API call to "Generate a User Access Token" for the logged user
4- use that access token from 3 to load the Box Content Explorer and Box Content Uploader to the user

Problem is step 3: I have no idea how to do it. The examples in the docs ( are all using the SDKs, so not an option here. I cant find the method to do this on the API reference ( or on the Postman collection

So, how do I generate a user access token without any of the SDKs? Is there any recipe, example or docs on that? Whats the API method used?


Thank you all

Tags (1)
Box Employee

Re: Generate a User Access Token with cURL/PHP

Hi @DiogoAbdalla, glad to hear those code examples were helpful! I believe @cbetta wrote those and I think he'd be happy to hear that :)

Your understanding is perfectly in line with how we see customers utilize Box when:

- No user authorization is desired

- You want a custom UI interface (so you're using the UI elements)


For your step 3, that's actually just a repeat of step 1. When you authenticate with JWT in step 1, the PHP snippet looks something like this:

$claims = [
  'iss' => $config->boxAppSettings->clientID,
  'sub' => $config->enterpriseID,
  'box_sub_type' => 'enterprise',
  'aud' => $authenticationUrl,
  // This is an identifier that helps protect against
  // replay attacks
  'jti' => base64_encode(random_bytes(64)),
  // We give the assertion a lifetime of 45 seconds 
  // before it expires
  'exp' => time() + 45,
  'kid' => $config->boxAppSettings->appAuth->publicKeyID

This gives an access token for the service account, which is created when the app is authorized in the admin console.


To generate a user access token, replace "sub" with the integer user ID and the sub_type with the string "user". With your new claims, you should be able to make the same API call from step 1 with your slightly different JWT assertion, and get back an access token for a user.


Does that make sense? It sounds like you are 99% of the way there. Let me know if there's anything I can clarify on that.




New Contributor

Re: Generate a User Access Token with cURL/PHP

Yes it does!


Thank you a lot, I think I can make this work now

Tags (1)
New Contributor

Re: Generate a User Access Token with cURL/PHP

edit: nevermind, I was being dumb (there was a typo)

New Contributor

Re: Generate a User Access Token with cURL/PHP

Hi again, folks, Im in need of some more help. I hope its ok to use this same thread. If it inst, I can start a new one.


Anyway, Ive followed the docs and Jason tips above and manage to get it working 100% on my local server.


Than I uploaded it to our test server and its not working there: I get an error trying to get the service user access token:

error: invalid_grant


Please check the 'exp' claim. The 'exp' value exceeds the maximum value of (truncated...)


Ive searched here and its supposed to be related to server time. But the server clock is correct, is using ntp, and its the same as my local machine


What else could it be?

New Contributor

Re: Generate a User Access Token with cURL/PHP

Hi can you please help me getting my user access token by using JWT SDK

I used the below code but it shows some error...

where do we get jwt_key_id,cert.pem 

while running the code i got the error "user() missing 1 required positional argument: 'self'"


user = client.user(user_id='12345')

auth = JWTAuth(
user_client = Client(auth