403 Status on Event API as Admin

New post



  • Official comment

    Hello Tyler, 

    Are you the primary Admin of the Box enterprise? If not, you may not have the proper co-admin permissions to be able to use this endpoint. 


    Kourtney, Box Developer Advocate

    Comment actions Permalink
  • Peleg Dvir

    Hello, I have the same problem.
    In my case, I am also the ADMIN of the Box enterprise.

    So I created an app Authentication Method [OAuth 2.0 (User or Client Authentication)].
    Application Scopes:

    • Read all files and folders
    • Manage Users
    • Manage Enterprise Properties
    • Manage Webhooks
    • Enable Integrations
    • Make API calls using the as-user Header

    So when I try to make an API request, to fetch user's events. I am getting
    Code: access_denied_insufficient_permissions
    Status: 403

    I believe I have the required scopes checked, but why am getting the issue again?

    Here is my code..

    client = Client(OAuth2(
    users_ids = [user.id for user in client.users()]
    for user_id in users_ids:
    user_client = client.as_user(client.user(user_id=user_id))
    events = user_client.events().get_events()
    for event in events:

    Not sure where I went wrong!!! Thanks in advance.


    Comment actions Permalink
  • Kourtney

    Hello Peleg, 

    Can you please try reauthorizing the app in the Admin console and when you do so, ensure that the scopes listed are what you think they are (as listed above)? 

    I just found a bug on the configuration page with saving settings that Im thinking it may be causing the issue here. I've reported it to our engineering team. 

    If reauthorizing and checking the scopes doesn't help, are you able to provide me with the following so I can take a look at our backend logs for more info? 

    • client ID of your application
    • example date/time/timezone of the error


    Kourtney, Box Developer Advocate 

    Comment actions Permalink
  • Peleg Dvir

    Thank you,

    I tried to reauthorizing the app, but could not see it in the Admin console, (probably because this is OAuth2.0 Authentication process, but my Other JWT authenticated app shows up in the App console.) 
    Anyways I tried to get the access token again using the Authorize URL for MY APP
    I have rechecked my app scopes as well.
    This is the response I am getting Hope this helps.

    "GET https://api.box.com/2.0/events?limit=100&stream_position=0&stream_type=all" 403 217
    {'Date': 'Tue, 13 Apr 2021 09:33:30 GMT', 'Content-Type': 'application/json', 'Transfer-Encoding': 'chunked', 'Connection': 'keep-alive', 'Strict-Transport-Security': 'max-age=31536000', 'Cache-Control': 'no-cache, no-store', 'Content-Encoding': 'gzip', 'BOX-REQUEST-ID': '18188dd3a69de74c83a3fb9ad860047d5'}
    {'code': '---ions',
    'help_url': 'http://developers.box.com/docs/#errors',
    'message': 'Access denied - insufficient permission',
    'request_id': '3gs9cxgpi910z1jg',
    'status': 403,
    'type': 'error'}
    Comment actions Permalink
  • Kourtney

    Apologies, I see now you stated before your app was OAuth2. On the backend I'm seeing the 403 is caused by that app not having as-user permissions. However, two things to note here: 

    1. You cannot as-user as the Admin of an enterprise

    2. You stated above you are the Admin of the enterprise, so there is no need to as-user here 


    Kourtney, Box Developer Advocate

    Comment actions Permalink

Please sign in to leave a comment.