as-user Header

as-user Header

It is possible to for a JWT application to act on behalf of another user through the as-user header.

curl https://api.box.com/2.0/folders/0 \
  -H "as-user: [USER_ID]"
  -H "authorization: Bearer [ACCESS_TOKEN]"

In this situation the user ID is the Box identifier for a user. User IDs can found for any user via the GET /users endpoint, which is only available to admins, or by calling the GET /users/me endpoint with an authenticated user session.

Preconditions

Using the as-user header has a few requirements. Firstly, the application needs to be configured to perform actions as users in the developer console.

Advanced Features

Additionally, the authenticated user needs to be a user with admin permissions, meaning either an admin, co-admin, or service account. See our guide on User Types for more details.

as-user using SDKs

All of the official SDKs support acting on behalf of a user using the as-user header.

.NET
var user_client = new BoxClient(config, session, asUser: '[USER_ID]');
Java
client.asUser([USER_ID]");
// client.asSelf();
Python
user_to_impersonate = client.user(user_id='[USER_ID]')
user_client = client.as_user(user_to_impersonate)
Node
client.asUser('[USER_ID]');
// client.asSelf();

Please note that some of our SDKs create new clients for the other user, while others modify the existing client and provide a way to return to a state where the client authenticates for the original user itself.