Server Side Authentication Scopes

My application uses JWT server side auth and the NodeJS SDK to authenticate to Box. The authentication is successful, and I am able to upload files with the SDK, however when I try to perform other actions like `client.folders.getItems`, for example, I am getting 405 Method Not Allowed errors. It seems like JWT only allows for read and write access, but prevents other actions like listing. Is this correct?

I need a way to authenticate with a long live access token, that allows for all endpoints in the SDK, not just read and write. Is there a way to do this? It looks like App Tokens also only allow for read and write privileges. I read here https://developer.box.com/guides/api-calls/permissions-and-errors/scopes/ that you can apply for additional scopes, would that be the only way to achieve the desired capabilities? 

Please let me know if this is possible, thank you!