403 - Access denied - insufficient permission

General
1

Hi there, I’m trying to use the Box API with Client Credentials. I can get the access token but when I try to use this token to get a list of items from a folder I got this response:

{
“type”: “error”,
“status”: 403,
“code”: “access_denied_insufficient_permissions”,
“help_url”: “http://developers.box.com/docs/#errors”,
“message”: “Access denied - insufficient permission”,
“request_id”: “ag9fdlhmauc74la5”
}

The folder I’m trying to access was created by me. How I don’t have permission to access it?

2

Hi @marcusfreitas182 , welocme to the forum!

It depends what credentials you are using with your CCG authentication.

If you are using enterprise, then the CCG authorizations is associated with the service account automatically created for the CCG application. In this case the service account does not, by default, have access to your user content.

If you are using user, then it is the security context of the user it self.

When you request a new access token for the CCG app, check to see if your are requesting for a service account or your user. For example:

curl --location 'https://api.box.com/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \

--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=<MY CLIENT ID>' \
--data-urlencode 'client_secret=<MY CLIENT SECRET>' \
--data-urlencode 'box_subject_type=enterprise' \
--data-urlencode 'box_subject_id=877840855'

Returns this:

{
    "access_token": "XeF...P9",
    "expires_in": 3884,
    "restricted_to": [],
    "token_type": "bearer"
}

Let’s check who is logged in:

curl --location 'https://api.box.com/2.0/users/me?fields=id%2Ctype%2Cname%2Clogin' \
--header 'Authorization: Bearer XeF...P9'

Results in:

{
    "type": "user",
    "id": "20706451735",
    "name": "CCG",
    "login": "AutomationUser_1803368_9rbDFPFJSf@boxdevedition.com"
}

Now let’s try the same but request a CCG access token for my user:

curl --location 'https://api.box.com/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=<MY CLIENT ID>' \
--data-urlencode 'client_secret=<MY SECRET>' \
--data-urlencode 'box_subject_type=user' \
--data-urlencode 'box_subject_id=18622116055'

Results in:

{
    "access_token": "B4...Ww",
    "expires_in": 4222,
    "restricted_to": [],
    "token_type": "bearer"
}

Checking the logged in user:

curl --location 'https://api.box.com/2.0/users/me?fields=id%2Ctype%2Cname%2Clogin' \
--header 'Authorization: Bearer B4...Ww' \

Results in:

{
    "type": "user",
    "id": "18622116055",
    "name": "Rui Barbosa",
    "login": "myemail@gmail.com"
}

Let us know if this helps.