API [JWT] - Cannot Obtain Token Based on Enterprise Configuration for Your App

When attempting to obtain a token via Server Authentication, the following error message is returned:

{  "error": "invalid_request",  "error_description": "Cannot obtain user token based on the enterprise configuration for your app" } 

Environment

Any custom application making API calls to obtain a user token/client (and not a service account or enterprise token) using Server Authentication.

Examples:

• https://github.com/box/box-node-sdk#app-auth-client
• https://github.com/box/box-windows-sdk-v2#create-an-app-user

Resolution Steps

Ensure the proper scopes are enabled for the application.

Root Cause

To obtain a token for a user through JWT Authentication, two items are required:

1. The "Generate user access tokens" scope is enabled in the application's configuration page.
2. If the user ID passed in the JWT is an app user, "Application Access" is required (also on the application's configuration page). If the user ID passed in the JWT is a managed user, "Enterprise Access" is required.

Make sure to re-authorize the application in the enterprise's Administrator Console after making any changes to a Server Authentication app.