Permission issues with Annotations with downscoped tokens

Hello -

I am working on a custom application that requires the use of annotations on files. I am consistently running into issues with annotations. Our application utilizes JWT for authentication.

When attempting to downscope the access token with scopes needed for the UI elements + annotations, I consistently get “Insufficient permissions” for the downscoped token. Upon looking at the permissions for my file using the downscoped token, I notice that there are additional permissions that are not enabled despite following the scopes outlined in the documentation:

Downscoped access token (scopes: base_preview item_download item_upload annotation_edit annotation_view_all base_sidebar item_comment item_preview)

{
    "type": "file",
    "etag": "0",
    "permissions": {
        "can_download": true,
        "can_preview": true,
        "can_upload": true,
        "can_comment": true,
        "can_rename": false,
        "can_delete": false,
        "can_share": false,
        "can_set_share_access": false,
        "can_invite_collaborator": false,
        "can_annotate": true,
        "can_view_annotations_all": true,
        "can_view_annotations_self": true,
        "can_create_annotations": false,
        "can_view_annotations": false
    }
}

Using an access token that has never been downscoped will have those “can_create_annotations” and “can_view_annotations” permissions as true. The behavior with that token is that I can annotate just fine, but any downscoped token cannot perform annotations at all. I can’t figure out if that is causing the issue or I am missing something else. I’m using the box-annotations library alongside the content preview + sidebar via cdn.

So instead, I went to the “Annotator Token” workflow and it ends up never working. I always get the same error {"error":"invalid_grant","error_description":"There was an error in the \"actor_token\". Algorithm not allowed"} - using the exact same steps to generate the assertion as the main access token (which works!). It’s being generated with the RS256 algorithm but it still rejects it. I was wondering if there was an issue with the assertion generated, but as it’s working fine to get the initial access token, I am just a little baffled.

Any advice or guidance would be greatly appreciated. I am not sure if this is the correct area to place this in.