JWT Service Account?

New post



  • LoCortes

    Hello ,

    The service account or the app account do not have unlimited access to everything unless you request it to be enabled to box personnel. The other option is to use the AS-USER property to emulate them but it is only recommended for development. 


    I understand that the 403 error you receive is because you have not added the app user to the folder you are trying to access. So, the first thing to avoid receiving the error is to add the user as you would do with a named user.



    Comment actions Permalink
  • kbeattie_yelp



    Thanks for responding LoCortes: It looks like my problem was just the order in which I was going about getting information off the platfoorm and a lack of understanding how it's setup, or how it works.


    My thinking was something like this:

    1. Generate JWT using enterprise id
    2. Use JWT to get access token
    3. Create App User
    4. Get access token for App User
    5. Get folder info on known folder (owned by me) using app user token


    This doesn't work.


    I found this artile today, which gave me a clue as to the right away to go about this: 



    This process is from the linked doc above:


    1. Generate JWT using my Enterprise ID
    2. Use this JWT to send a post request to Box API 'https://api.box.com/oauth2/token' to get Enterprise Access Token
    3. Use https://api.box.com/2.0/users -H "Authorization: Bearer EnterprisAccessToken" to get user_id
    4.Generate JWT using my user_id
    5. Use new JWT to get User Access Token
    6. Use User Access Token to download my file


    THIS is the right order of things.  Based on that, I was able to sort out the logic in my app and rework my functions.  I'm getting data now.



    Comment actions Permalink
  • Larry Leonidas

    Felt compelled to give you some feedback (despite the fact this post 4 years old).

    Service Accounts are generated with an Authorized App within the Box Dev Console.

    Once you have that, you establish a design in your app to authenticate with the Service Account and perform various functions. Mostly it's for provisioning App Users. Once AppUsers are created the same service account generates access tokens on demand for the AppUsers via their BoxID. You can then display things like UIElemens etc showing these AppUsers their own content. The Service Account can also perform other functions based on the App's defined scope.

    Comment actions Permalink

Please sign in to leave a comment.