Service Account can't use Box Sign API

I have a custom Box App that is set up App Token (Server Authentication). This type of config creates a service account and gives us an access token. I’ve had no problem using the Box API in the past with this token as long as the associated service account is given access to the appropriate folers.

However, calls to the Box SIGN parts of the API return the following:

“type”: “error”,
“code”: “insufficient_scope”,
“status”: 403,
“message”: “The request requires higher privileges than provided by the access token.”,
“help_url”: “”,
“request_id”: “0aa1e51ed7348b0df97959af0e579f7e6”

Our admin has granted Box Sign access to this service account and I even re-authorized the app just in case. But I’m still getting this permission error. Are service accounts allowed to use Box Sign API?

Keep in mind this uses a static APP TOKEN. It does not use OAuth

Welcome @brian.lorraine ! :smiley:

On this page ( you’ll fiond the required scopes to use Box Sign with API calls.

As you can see, the “Manage signature requests” scope is really important.

Can you also check this update that happened recently : Updates to permission scopes in manage groups – Box Support

In some cases, you would need to set up your configuration to “App Access + Enterprise Access”.

I hope it helps !

That setting only seems applicable if the app uses Oauth authentication. I have another app that uses Oauth and I see all those settings you’re referring to. The links you gave for the needed scopes also only seem to reference the scopes for Oauth.

If an uses an App Token (Server Authentication) with a service account, which is what we need, those options aren’t visible in the “My Apps” configuration section. So essentially, this means that I can’t use Box Sign API with a server token/service account then, correct? I have to use Oauth?

So it looks like when you create an app in the developer console, you have a few options. The service account I’m using is for an app that was set up as a “Limited Access App”. This apparently is what is causing the issue. If I set up a new test app and select “Custom App”, this still allows me to use server authentication with a token AND grant access to the necessary scopes.

I don’t think there is a way to convert from a Limtied App to a Custom App so I may have to create a new Custom app and migrate my custom application to use the new token.