Box equivalent of Google's Service Account?

New post



  • Murtza

     We recently released Service Accounts for our API. Here is the link to the Service Account documentation.


    Another option is to authenticate as the Admin of the Box instance using OAuth2. Then you can use the access token scoped to the Admin and the As-User header to access content.

    Comment actions Permalink
  • Box Product Support

    Thanks . 

    I have gone down the OAuth route but am having some difficulty. Could you advise?


    I have set up a JWT. Inside the JWT I have set up all necessary fields. The problem is that I am getting the following error returned:

    {"error":"invalid_grant","error_description":"Please check the 'sub' claim."}


    The 'sub' value is the exact value that is shown in the Admin Console under 'Enterprise ID' so I am happy that this is correct. 


    The command that I am running, from the mac terminal, is :


    curl -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id=4354354&client_secret=4234324&assertion=eyJraWQiOiJ6MXA1NHVhbyIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJKb2UiLCJhdWQiOiJodHRwczovL2FwaS5ib3guY29tL29hdXRoMi90b2tlbiIsImJveF9zdWJfdHlwZSI6ImVudGVycHJpc2UiLCJpc3MiOiJ2bHR6bGh1bWRjcDhpMzRsY2g5OXV2bzdrMG5iM25zdCIsImV4cCI6MTQ3NDgwNDAxMCwianRpIjoieHVuaXF1ZXN0cmluZzEyMzQ1eCJ9.GSRHC9chYOE9DY5K_WvHpX4HRAtCzN6ZBdH26LCgz1gXNg7NxqLC9d_SWNc-UeUCF7lIpshxWUW0XmsIAVOvQZ0Paoaa5htXk-P8IgfgWSusO0RlBiAsUODz2zlMfX9myPNPvYCxeA4D3IA9BIf6MhIDrFm-LcSldh25gatHe5QVu7Q-U54LaREwUzYP8BWhmuVDyz9pNs_nLGIGVum7QZzlm5lBdXmd56YnWYnAr3VcPWztWpoJYQzFoBoSaErURhTDATSy21biVMwD57244U9gjp--zfakLbuqIl545Jl4qRLtZxP-TvmJgXHVTUE7O2lj2W_o8_fGbhaKK5TOcQ' -X POST



    In case it is of use, here is the section of java code that goes to create the JWT. I have, of course, changed some values so that I am not sending the actual real-world values:


    Map claimsMap = new HashMap();

    claimsMap.put("iss", "vltzlhumdcp8i34lch99uvo7k0nb3nst");

    claimsMap.put("sub", "3606919");

    claimsMap.put("box_sub_type", "enterprise");

    claimsMap.put("aud", "");

    claimsMap.put("jti", "xuniquestring12345x");

    claimsMap.put("exp", removed for privacy0);


    Map headerMap = new HashMap();

    headerMap.put("typ", "JWT");

    headerMap.put("kid", "z1p54uao");

    headerMap.put("alg", "RS256");


    String compactJws = Jwts.builder()




      .signWith(signatureAlgorithm, newKey)



    As you can see, I have not included the Client ID or Secret. I assume that the error is happening before this is even looked at? 


    Here is 


    Might you be able to suggest why this error is ocurring?


    Many thanks

    Comment actions Permalink
  • jszesq

    This post is fascinating to me, as we have been a Box Partner since 2008 and a Google for Work Partner almost as long. With Google Apps, there is pretty clear divide between Apps Scripting and GCP where the the Service Accounts live. Perhaps it would be helpful for a Box Employee that has knowledge to get a detailed reference to or explanation of the way the Service Account works for the Box-Salesforce Integration. 

    Comment actions Permalink

Please sign in to leave a comment.