API [JWT] - Cannot Obtain Token Based on Enterprise Configuration for Your App

When attempting to obtain a token via Server Authentication, the following error message is returned:

{  "error": "invalid_request",  "error_description": "Cannot obtain user token based on the enterprise configuration for your app" } 

Environment

Any custom application making API calls to obtain a user token/client (and not a service account or enterprise token) using Server Authentication.

Examples:

• https://github.com/box/box-node-sdk#app-auth-client
• https://github.com/box/box-windows-sdk-v2#create-an-app-user

Resolution Steps

1. Ensure that you are not passing the "user_id" of the Service Account for sub claim. The sub field is intended to allow acting on behalf of another user, not the service account itself. If you want to run API calls in the context of the service account, you should instead use enterprise token by setting the "enterprise_id" to sub field and "enterprise" to the box_sub_type field.
2. Ensure the proper scopes are enabled for the application.

Root Cause

To obtain a token for a user through JWT Authentication, two items are required:

1. The "Generate user access tokens" scope is enabled in the application's configuration page.
2. If the user ID passed in the JWT is an app user, "Application Access" is required (also on the application's configuration page). If the user ID passed in the JWT is a managed user, "Enterprise Access" is required.

Make sure to re-authorize the application in the enterprise's Administrator Console after making any changes to a Server Authentication app.