Uploading via Server-Side Login via API

I wanted to ask your support in regards to uploading PDF’s via a server-side login (without human intervention). We are uploading to third-party boxes, which our account has been given access to (not our own Boxes).


We are receiving the below error message when uploading the PDF’s via API:

Message: Grant credentials are invalid

The login to Box is valid. The error pops up when uploading to one of the folders. For example trying to upload the latest ‘AU_BEL’ logs the following:
Client Auth success: <boxsdk.client.client.Client object at 0x7fd2ee018310>
Client User Auth success: <boxsdk.client.client.Client object at 0x7fd2ebfd14d0>
Switched to folder for AU_BEL at 86734036620
Attempting to upload au_bel_20230821_2310.pdf to folder “86734036620”
“POST https://api.box.com/oauth2/token” 400 77
{‘Date’: ‘Tue, 15 Aug 2023 10:18:41 GMT’, ‘Content-Type’: ‘application/json’, ‘Transfer-Encoding’: ‘chunked’, ‘Strict-Transport-Security’: ‘max-age=31536000’, ‘Set-Cookie’: ‘box_visitor_id=64db5100e92b95.63351248; expires=Thu, 15-Aug-2024 10:18:40 GMT; Max-Age=31622400; path=/; domain=.box.com; secure; SameSite=None, bv=OPS-46406; expires=Tue, 22-Aug-2023 10:18:40 GMT; Max-Age=604800; path=/; domain=.app.box.com; secure, cn=0; expires=Thu, 15-Aug-2024 10:18:40 GMT; Max-Age=31622400; path=/; domain=.app.box.com; secure, site_preference=desktop; path=/; domain=.box.com; secure’, ‘Cache-Control’: ‘no-store’, ‘Via’: ‘1.1 google’, ‘Alt-Svc’: ‘h3=“:443”; ma=2592000,h3-29=“:443”; ma=2592000’}
{‘error’: ‘invalid_grant’, ‘error_description’: ‘Grant credentials are invalid’}

I’m switching to the ‘user’ user_client (that would be me), switching to the folder, and then I get an ‘invalid_grant’ only when trying to upload. This seems to me that my user is somehow not allowed to upload content? However when I upload via the WebInterface, it does work. Why am I not allowed to upload via the API?

Hi @brittnolle , welcome to the forum!

That 400 error on the POST to /oauth2/token is telling me that the system tried to get an access token but was unable to.

Try to intercept that particular request and see what is actually being posted. Perhaps an incorrect client_id, client_secret, or even the authentication type (CCG vs something else)

Independently of further errors this needs to be solved.

These discrepancies are possible if the configurations at application level do not match your user configuration when you access the box app directly. For example the app can have “App Access Only” selected, or not having “Write all files and folders”, impacting all users.

Another possibility is if your app is downscoping a token, restricting access even further.

Another possibility that happens to me all the time is that I update the app configurations in the developer console, but forget to submit it for approval. So I think the configurations are all fine, but those haven’t actually be applied.

Let us know.