User Access Token

User Access Token

It is possible for a JWT application to act on behalf of another user by creating an access token for a specific user instead of the Service Account for the application.

In this situation the user ID is the Box identifier for a user. User IDs can found for any user via the GET /users endpoint, which is only available to admins, or by calling the GET /users/me endpoint with an authenticated user session.

Preconditions

Creating a user access token has a few requirements. Firstly, the application needs to be configured to be allowed to create user access tokens in the developer console.

Advanced Features

Additionally, the authenticated user needs to be a user with admin permissions, meaning either an admin, co-admin, or service account. See our guide on User Types for more details.

User Access Tokens with SDKs

To create a Box SDK client that authenticates as a specific user instead of the JWT app's Service Account, follow the same steps as described in the JWT with SDK guide but instead of creating an "Enterprise" client we instead create a user client.

.Net
var userId = "12345";
var sdk = new BoxJWTAuth(config);
var token = sdk.UserToken(appUserID);
BoxClient client = boxJWT.UserClient(userToken, userId);
Java
String userId = "12345";
BoxDeveloperEditionAPIConnection api = new BoxDeveloperEditionAPIConnection.getAppUserConnection(userId, config)
Python
user = client.user(user_id='12345')

auth = JWTAuth(
    client_id='[CLIENT_ID]',
    client_secret='[CLIENT_SECRET]',
    user=app_user,
    jwt_key_id='[JWT_KEY_ID]',
    rsa_private_key_file_sys_path='[CERT.PEM]',
    rsa_private_key_passphrase='[PASSPHRASE]'
)
auth.authenticate_user()
user_client = Client(auth)
Node
var sdk = BoxSDK.getPreconfiguredInstance(config);
var client = sdk.getAppAuthClient('user', '12345');

Learn more about using the Box SDKs for JWT

User Access Tokens without SDKs

To create a User Access Token that authenticates as a specific user instead of the JWT app's Service Account follow the same steps as described in the JWT without SDK guide but instead of creating a claim for the enterprise, create one for a specific user ID.

.Net
var userId = "12345";

var claims = new List<Claim>{
  new Claim("sub", userid),
  new Claim("box_sub_type", "user"),
  new Claim("jti", jti),
};
Java
String userId = "12345";

JwtClaims claims = new JwtClaims();
claims.setIssuer(config.boxAppSettings.clientID);
claims.setAudience(authenticationUrl);
claims.setSubject(userId);
claims.setClaim("box_sub_type", "user");
claims.setGeneratedJwtId(64);
claims.setExpirationTimeMinutesInTheFuture(0.75f);
Python
user_id = '12345';

claims = {
  'iss': config['boxAppSettings']['clientID'],
  'sub': user_id,
  'box_sub_type': 'user',
  'aud': authentication_url,
  'jti': secrets.token_hex(64),
  'exp': round(time.time()) + 45
}
Node
let user_id = '12345';

let claims = {
  iss: config.boxAppSettings.clientID,
  sub: user_id,
  box_sub_type: "user",
  aud: authenticationUrl,
  jti: crypto.randomBytes(64).toString("hex"),
  exp: Math.floor(Date.now() / 1000) + 45
};
Ruby
user_id = '12345'

claims = {
  iss: config['boxAppSettings']['clientID'],
  sub: user_id,
  box_sub_type: 'user',
  aud: authentication_url,
  jti: SecureRandom.hex(64),
  exp: Time.now.to_i + 45
}
PHP
$userId = '12345';

$claims = [
  'iss' => $config->boxAppSettings->clientID,
  'sub' => $userId,
  'box_sub_type' => 'user',
  'aud' => $authenticationUrl,
  'jti' => base64_encode(random_bytes(64)),
  'exp' => time() + 45,
  'kid' => $config->boxAppSettings->appAuth->publicKeyID
];

Learn more about manually using JWT authentication