Product Guides are now available in the beta release of the redesigned, AI-powered docs.box.com. Check out all the details on what's changed.

Box Status
Print

API [JWT] - {"error":"invalid_grant","error_description":"Please check the 'sub' claim."...}

API , Troubleshooting , Admin , Box Platform , Authentication , Article , Product Utilization

A developer receives the error:

{"error":"invalid_grant","error_description":"Please check the 'sub' claim. The 'sub' specified is invalid."}

when using JWT Authentication.

 

Environment

A custom application using JWT authentication

 

Common causes

  • Using the client ID, email address, login, or service account ID as sub
  • Using a user ID while box_sub_type is enterprise, or vice versa
  • The user ID does not exist in that enterprise
  • The app is not authorized for that enterprise
  • The JWT config is from a different Box app/environment than the subject ID
 

Resolution

That error means the JWT assertion’s sub claim is not a valid subject for the token you’re trying to create.

The "sub" claim in the JWT should always be a Box ID — depending on the value of "box_sub_type" it would be either the ID of the user you're trying to generate tokens for or the ID of the enterprise you're authenticating as the service account for. 

Use the following `sub` and `box_sub_type` combinations:

  • Enterprise token: sub = <enterprise_id> and box_sub_type = enterprise
  • User token: sub = <app_user_id or managed_user_id> and box_sub_type = user

Verify that the `sub` value is correct and that you are passing it as a string.

platform_swarm_kb

Related articles