;
};
It is possible for a JWT application to create an Access Token for a specific
user instead of for the Service Account.
## Preconditions
The application must be configured to allow the creation of user Access Tokens.
This setting can be found in the **Configuration** tab of the
[Developer Console][devconsole].
Additionally, the authenticated user needs to be a user with Admin permissions,
meaning either an Admin, Co-Admin, or Service Account. See our guide on
User Types for more details.
## User Access Tokens with SDKs
To create a Box SDK client that authenticates as a specific user, follow the
steps described in the JWT with SDK guide,
but create a user client instead of an "Enterprise" client.
```csharp .Net theme={null}
var userId = "12345";
var sdk = new BoxJWTAuth(config);
var token = sdk.UserToken(appUserID);
BoxClient client = sdk.UserClient(userToken, userId);
```
```java Java theme={null}
String userId = "12345";
BoxDeveloperEditionAPIConnection api = new BoxDeveloperEditionAPIConnection.getAppUserConnection(userId, config)
```
```python Python theme={null}
user = client.user(user_id='12345')
auth = JWTAuth(
client_id='[CLIENT_ID]',
client_secret='[CLIENT_SECRET]',
user=app_user,
jwt_key_id='[JWT_KEY_ID]',
rsa_private_key_file_sys_path='[CERT.PEM]',
rsa_private_key_passphrase='[PASSPHRASE]'
)
auth.authenticate_user()
user_client = Client(auth)
```
```js Node theme={null}
var sdk = BoxSDK.getPreconfiguredInstance(config);
var client = sdk.getAppAuthClient('user', '12345');
```
## User Access Tokens without SDKs
To create a user Access Token that authenticates as a specific user, follow the
steps as described in the
JWT without SDK guide but instead of creating
a claim for the enterprise, create one for a specific user ID.
```csharp .Net theme={null}
var userId = "12345";
var claims = new List{
new Claim("sub", userid),
new Claim("box_sub_type", "user"),
new Claim("jti", jti),
};
```
```java Java theme={null}
String userId = "12345";
JwtClaims claims = new JwtClaims();
claims.setIssuer(config.boxAppSettings.clientID);
claims.setAudience(authenticationUrl);
claims.setSubject(userId);
claims.setClaim("box_sub_type", "user");
claims.setGeneratedJwtId(64);
claims.setExpirationTimeMinutesInTheFuture(0.75f);
```
```python Python theme={null}
user_id = '12345'
claims = {
'iss': config['boxAppSettings']['clientID'],
'sub': user_id,
'box_sub_type': 'user',
'aud': authentication_url,
'jti': secrets.token_hex(64),
'exp': round(time.time()) + 45
}
```
```js Node theme={null}
let user_id = '12345';
let claims = {
iss: config.boxAppSettings.clientID,
sub: user_id,
box_sub_type: "user",
aud: authenticationUrl,
jti: crypto.randomBytes(64).toString("hex"),
exp: Math.floor(Date.now() / 1000) + 45
};
```
```ruby Ruby theme={null}
user_id = '12345'
claims = {
iss: config['boxAppSettings']['clientID'],
sub: user_id,
box_sub_type: 'user',
aud: authentication_url,
jti: SecureRandom.hex(64),
exp: Time.now.to_i + 45
}
```
```php PHP theme={null}
$userId = '12345';
$claims = [
'iss' => $config->boxAppSettings->clientID,
'sub' => $userId,
'box_sub_type' => 'user',
'aud' => $authenticationUrl,
'jti' => base64_encode(random_bytes(64)),
'exp' => time() + 45,
'kid' => $config->boxAppSettings->appAuth->publicKeyID
];
```
[devconsole]: https://app.box.com/developers/console
Additionally, the authenticated user needs to be a user with Admin permissions,
meaning either an Admin, Co-Admin, or Service Account. See our guide on
User Types for more details.
## User Access Tokens with SDKs
To create a Box SDK client that authenticates as a specific user, follow the
steps described in the JWT with SDK guide,
but create a user client instead of an "Enterprise" client.