as-user Header

as-user Header

It is possible to for a JWT application to act on behalf of another user by leveraging the as-user header.

curl https://api.box.com/2.0/folders/0 \
  -H "as-user: [USER_ID]"
  -H "authorization: Bearer [ACCESS_TOKEN]"

In this situation the user ID is the Box identifier for a user. User IDs can found for any user via the GET /users endpoint, which is only available to admins, or by calling the GET /users/me endpoint with an authenticated user session.

Preconditions

The application must be configured to perform actions as users in the Developer Console.

Advanced Features

Additionally, the authenticated user needs to be a user with Admin permissions, meaning either an Admin or Co-Admin. See our guide on User Types for more details.

You cannot use the user_id of Service Accounts in the as-user header.

as-user using SDKs

All of the official Box SDKs support acting on behalf of a user using the as-user header.

.NET
var user_client = new BoxClient(config, session, asUser: '[USER_ID]');
Java
client.asUser([USER_ID]");
// client.asSelf();
Python
user_to_impersonate = client.user(user_id='[USER_ID]')
user_client = client.as_user(user_to_impersonate)
Node
client.asUser('[USER_ID]');
// client.asSelf();

Please note that some of our SDKs create new clients for the other user, while others modify the existing client and provide a way to return to a state where the client authenticates for the original user itself.