Getting 403: Permission Denied error when using JWT Auth. credentials to upload, download and delete file from Box

New post


1 comment

  • Rui Barbosa


    That is a bit odd, so let's try to troubleshoot.

    Since I don't know what stack you're using I'll use the CLI.

    Consider the following service user associated with the CLI:

    ❯ box users:get --fields type,id,name,login --csv

    When I try to list the items of another user folder, I get a 404 not found error (not insufficient privileges):

    ❯ box folders:items 191494027812 --fields type,id,name --csv
    Unexpected API Response [404 Not Found | 30gxkzhayvxsghbq.09370dd2894de2edb1012daaedb3b1e3a] not_found - Not Found

    If the other user adds this service user as an editor to the folder:

    Note: This sharing with a service user might be the source of the issue. You have to share using the auto generated login of the service user.

    Then I get the items of the folder:

    ❯ box folders:items 191494027812 --fields type,id,name --csv

    Now if I remove the share of the folder I get back to the 404 error:

    ❯ box folders:items 191494027812 --fields type,id,name --csv
    Unexpected API Response [404 Not Found | haxvdhayw2nfpwp.0932536f44bf64cb51d7f8c94c1e92d8a] not_found - Not Found

    This JWT app is configured as:

    • Enterprise access
    • All content actions (read/write all files)
    • All administrative actions
    • Make API calls using the as-user header
    • Generate user access token

    This means it can impersonate the user, so this works even with the explicit share, which from your description seems more appropriate:

    ❯ box folders:items 191494027812 --fields type,id,name --csv --as-user 18622116055

    From the information you included, it should work, so play with these concepts to help narrow down the causes, and look into if the as-user is a more appropriate solution for your user case, since it avoids having to explicitly share each folder with the service user.

    Let us know if this helped.

    Best regards



    Comment actions Permalink

Please sign in to leave a comment.