Error 403 when trying to download or upload files

Hello there,

I am using your API to upload/download files to Box. I have managed to list all the folders and files but when trying to upload or download files and i’m receiving 403 error insufficient_scope. I have created a OAuth 2.0 app and i have all permissions (having a free account).

So any solve for me?

Thank you for your time.

Hi @antonio , welcome to the forum.

With just this information it is hard to help you.

Are you able to get an access token? Does your app completes the authorization process?

Can you give us more details?


See if this sample from the node SDK works for you:


Yes, i have a access token and using getBasicClient method and later I am listing all the necessary folders in the same function. The authentication was succesful, but later when I use the same access token it does not allow me to download or upload files, should I generate another token to allow me to do that?

Hi @antonio

The access token only lasts 60 minutes, but it should be automatically refreshed if you are using the SDK’s. When you say later, is it over 60 minutes later?

Could you send us a code sample that we can use to replicate your issue?

Best regards

Hi @rbarbosa

Im getting the access token refreshed by a refresh token. When i say later i mean at the moment (sorry for my english, it’s very bad :sweat_smile:).

  1. I have a controller that call this service
async getToken() {
    const response = await'', {
      grant_type: 'refresh_token',
      client_id: clientID,
      client_secret: clientSecret,
      refresh_token: tokens.refresh_token,
      access_token: tokens.access_token
    const sdk = new BoxSDK({ clientID, clientSecret });
    const client = sdk.getBasicClient(;
    return { client };
  1. I return the client and create a stream with the file sent in my upload method
async uploadFileToBox(client, files, folderId) {
    try {
      const stream = fs.createReadStream(files.file.path);
      const response = await client.files.uploadFile(folderId,, stream);
      return response;
    } catch (error) {
      throw error;
    } finally {
      await fs.promises.rm(files.file.path);


In the developer console, under your app configurations do you have the write permission selected?

(looks like this)

If not can you list, using your app, the content of the destination folder?



Yes i have these content actions selected. I can list, but i cant upload or download files.

Very well @antonio .

Allow me some time to try and replicate this and figure out what could possibly be wrong, as at first glance nothing else comes to mind.


1 Like

Hi @rbarbosa,

Any news about the problem I have? I await your answer.


Let me see if I can find someone else to help you.

1 Like

Hi @antonio,
it really seems to me as you didn’t have enabled right scope “Write all files and folders stored in Box”. Are you sure you have saved it? After the change remember to get a fresh token. If it still doesn’t work, can you provide your app id ?


Yes i have all permissions

Do i need to have the app published?

@antonio saving app is enough. To what folder are you trying to upload and download ? Do you have permission to access it ?


I am trying to upload and download to a folder created by me and i have all permissions but nothing…

Also, i tried to upload and download with a shared folder with all permission

Can you try that curl to exclude SDK from possible sources of the error ? Please fill <FILE_ID> and <ACCESS_TOKEN> with your data.

curl -i -L -X GET "<FILE_ID>/content" \
     -H "authorization: Bearer <ACCESS_TOKEN>" \

I have the same error:

Also, i tested the sdk with python and i have the same error

Hi @antonio ,

It seems that the token you are using, don’t have permissions for this file. To confirm this, please execute the following command:

curl --location '<FILE_ID>?fields=permissions,created_by' \
--header 'Authorization: Bearer <ACCESS_TOKEN>'

This command should return fields such as can_download and 'an_upload. If they have a value of false, it means that the token used doesn’t have the necessary permissions.

Could you also confirm that the user returned in the created_by field in the previous request is the same as the one resulting from this request?

curl --location '' \
--header 'Authorization: Bearer <ACCESS_TOKEN>'

Sorry for the delay,

The problem I had was when I generated the access_token and the refresh_token did not have permissions for folder editing. I activated the permissions later and when I refreshed the token, the access_token still did not have those permissions.

Subsequently, I regenerated the access_token and refresh_token with the permissions set and was able to manage the folders y pude resolver mi problema.

Para aquellos que no sepan, pueden generar ese token en este enlace por si les sirve de ayuda:

Thanks for everything.