403 forbidden or 400 bad requests using api tokens

Hi All,

For reasons I won’t get into, I have to access the HTTP API from windows to populate spreadsheets and stuff. Some of the data I will access will require authentication (e.g.: email addresses of contributors).

It doesn’t like the bearer tokens when I use them, spitting out “403” or “400” depending on the scope of the token I generate.

Any tips? Should I ask my admins to dump some log files for me?
VBS script below

ID = 34
api_key="someASCII pasted from the preferences window"
path="/export/timetable/" & ID & ".xml?"
requestString=path & params

set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")

objHTTP.open "GET", server & requestString, false
objHTTP.setRequestHeader "Authorization", "Bearer " & api_key

Are you using an API key (deprecated) or a Personal Access token? If you use the latter (which sounds like the case since you mentioned scopes), it should work fine. If not, can you provide the actual error response (body)? It’s usually pretty verbose.

Thanks for the fast reply!

I’m using the OAuth style token.

Here’s the response


note that the request works fine without the token, but I was just testing WITH the token for when I try to access other items.

Which scope does that token have? You need “Classic API (read)” for any of the /export/... APIs.

Classic API (read only)

OK, found the bug. It only happens with detail=contributions and it happens because there’s a call to some code that accesses the logged-in user which triggers code that’s doing another oauth token check using standard scopes.

As a workaround until we fixed it (likely next release) you can add the “Everything (GET)” scope to the token.

Ok, shifting to Everything (GET) for the token gives a 400 bad request, and a HTML version of the same error!

You need both scopes, not just one of them

excellent, that did the trick thanks!

you may wish to rethink the word “everything” in future versions :wink:


The everything scopes are special because they can be used with any Indico endpoint (including file attachments), i.e. they are not restricted to official APIs. This has the advantage that even Indico actions which do not have a corresponding API can be scripted. Endpoints covered by the legacy_api scopes are not included; these scopes need to be granted explicitly.


1 Like