Exchange an access token for an "as-user" token?

New post



  • RobinDeSchepper

    I'm gonna rephrase for clarity:

    A JWT access token seems to recognize me as my service account, now I'd like a token that recognizes me as if I were another user in the enterprise. Does something like that exist?


    If it doesn't exist, what would be the best way to go about showing the root folder of an app-user in Box UI Elements? How do I even find the id of a user's root folder?

    Comment actions Permalink
  • cbetta




    The way to do this, is to instead of requesting a token for your "enterprise" (aka Service Account), to request one for your user. The general gist for that can be found here:



    Let me know what language you use and I can share more details.

    Comment actions Permalink
  • RobinDeSchepper



    Wow, completely missed those, I was looking in the API reference 😉 I'm using PHP. Could you post an example curl request perhaps?

    Comment actions Permalink
  • RobinDeSchepper

     bump? 😜

    Comment actions Permalink
  • Jason



    Hello! You can get a token for your user almost exactly the same way that you would get a token for your service account. The difference is that instead of passing in the string "enterprise" and an enterprise ID, you would pass in "user" and a user ID.


    Are you using an SDK to generate your JWT assertion / token right now? Or are you doing it all manually? 


    You can see a manual example in PHP on this page:

    // We will need the authenticationUrl  again later,
    // so it is handy to define here
    $authenticationUrl = '';
    $claims = [
      'iss' => $config->boxAppSettings->clientID,
      'sub' => $config->enterpriseID,
      'box_sub_type' => 'enterprise',
      'aud' => $authenticationUrl,
      // This is an identifier that helps protect against
      // replay attacks
      'jti' => base64_encode(random_bytes(64)),
      // We give the assertion a lifetime of 45 seconds 
      // before it expires
      'exp' => time() + 45,
      'kid' => $config->boxAppSettings->appAuth->publicKeyID

    Where instead of filling in sub_type="enterprise" and sub=enterprise_id, you would fill in "user" and user_id


    In other words, the only change you're making is in the construction of the JWT assertion. The API call to obtain the token remains the same.


    If you're using an SDK, it may prompt you just for those two variables (enterprise/enterprise_id or user/user_id), kind of like this example in our Node.JS sdk:

    var appUserClient = sdk.getAppAuthClient('user', 'YOUR-APP-USER-ID');

    ^ for getting a user token

    var serviceAccountClient = sdk.getAppAuthClient('enterprise', 'YOUR-ENTERPRISE-ID');

    Finally, all of this assumes you have both:

    • Enabled the "Generate User Access Tokens" scope from the developer console / app config page
    • Reauthorized the app in your admin console.


    Hope that helps! Ping back if you have q's or if that works!


    Comment actions Permalink

Please sign in to leave a comment.