Failed to create app user

Was trying to create an app user following this guide,

and with the following api request:

request: {“is_platform_access_only”: true , “name”:“test”}


“type”: “error”,

“status”: 403,

“code”: “access_denied_insufficient_permissions”,

“help_url”: “”,

“message”: “Access denied - insufficient permission”,

“request_id”: “avrw5xhevqe1xti8”


What is missing? Can you please assist?

(I have verified I have sufficient permissions to create a user which is not an app user and it was created successfully)


Hi Henrick!

App Users have to be created using a service account. I assume that might be why you are getting this error.

Service accounts are created automatically after a JWT or CCG application is authorized by the primary admin. If you are using one of our sdk libraries, you can create a client with the service account. That should allow you to create app users. Here is an example of doing that with Python. Once you have a client, you should be able to create an app user, using something like this example here.

Unfortunately, you cannot use the as-user functionality to run commands for a service account.

Also - you can use the Box CLI, configuring it with a JWT or CCG application. Then if you ran a command similar to this, an app user can be created.

Alternatively, if you wanted to use CURL, you would need to go through the token request process to get an access token for the service account. You would then use that token in your call to create an app user.

I hope this helps. Let me know if I can clarify anything else!


Thanks we are using the OAuth2 code flow, is it also creating a service account behind the scenes?
ca we create an app user our current flow or is it mandatory to use the service account flow?

OAuth 2.0 app type does not create a service account. It uses your own managed user account instead. If you would like to create an app user, you will need to use a JWT or CCG auth type for your application.

Alex - Box Developer Advocate

Thank you!
Do we need an additional consent flow or can we create a service account on behalf of our oauth app?

Ah! I think I may have confused you a bit. You will have to make a new app that uses JWT or CCG. You will not be able to OAuth 2 app to create app users.

Thanks, one last question, will creating app users help us to leverage and create more search api calls? will performing the call with as-user header of an app user will help us create more than 12 api calls per org? or is it limited regardless of any addition of app users?


The current limit stated by the documentation -
12 searches per second, per enterprise

Correct. For that rate limit, its per enterprise. So if you had 13 app users doing a search in one second, you’d hit the rate limit.

Thanks! and is that limit effected by customer api calls as well?
Or are they 12 api calls dedicated per application regardless of the number the customer is doing on his side?

It is 12 per enterprise for search regardless of if they are internal or customer users.