Level up your Box knowledge with brand new learning paths on Box University. Visit training.box.com to get started

Box Status
Print

API [Content API] - 403 "access_denied_insufficient_permissions" Errors

API , Permissions , Troubleshooting , Admin , Box Platform , Article , Product Utilization
When making API calls to various objects, the following error can be returned in the response:
{"status":403,"code":"access_denied_insufficient_permissions"...}
This error comes from the way that Box checks for permissions. For any action taken via the API, Box will check:
1) The permissions of the user who owns the access token
2) The permissions/scopes of the application
If one of these checks returns insufficient permissions, then the error will be returned.
This list is not exhaustive. Box has many access control options available, so please refer to specific details of the API call at https://developer.box.com/reference.

 

Environment

Box Platform - API Calls to Box via a custom application

 

Steps To Resolve

Check that the user has permission to do the task. The easiest way to check is to see whether the same action can be done via the Web App. For example:

  • If attempting to use the "As-User" header with another user, check if you can use the "Log in as this user" option via the administrator console. In this example, common situations are users not having co-admin permissions, co-admins trying to as-user as another co-admin, or co-admins trying to as-user as the primary admin.
  • If attempting to use an advanced feature like Legal Holds, the enterprise must have access to the feature.
  • You cannot add a collaborator to your root folder.
  • Note: Co-admins do not have the permission to manage other co-admin accounts.
Check that the application has permission to do the task by looking at the scopes enabled for the application. There are potentially two places to check:
  • (Standard and Server Authentication) The Configuration page for the app on the Developer Console.
  • (Server Authentication Only) The App's Authorization in the enterprise via Admin Console -> Business/Enterprise settings -> Apps -> Custom Application -> View App Authorization.
  • When admins authorize a Server Auth app in the admin console, the authorization for the app is the set of scopes the app has at the time that it was authorized. If the scopes change after the app was originally authorized, the app must be reauthorized for the changes to take effect in the enterprise (admin has to effectively "approve" changes in the app's scopes).
For example:
  • If making a call to the /users endpoint, "manage users" must be enabled.

 

Root Cause

User does not have permission to perform the requested action. If you need further assistance, please file a ticket with Box User Services.

platform_swarm_kb

Related articles