XeroAPI - Invoice Attachment access forbidden

Question

Stack: Laravel, XeroPHP

I cannot access the Invoice attachments because I am getting a ForbiddenException:

You are not permitted to access this resource

I am already connected to the API and I am fetching the Invoice data but when I call the Invoice attachments endpoint this exception is being thrown.

I believe there is something I am missing on another layer and not here. Perhaps it's something on the Xero account side? I am using the Demo Company user and its predefined data there (as well as some new invoices created on top of it by my side).

When I hit:

https://api.xero.com/api.xro/2.0/Invoices/InvoiceIDHere/ - I get the results

But when I hit:

https://api.xero.com/api.xro/2.0/Invoices/InvoiceIDHere/Attachments

I am getting:

{
    "Type": null,
    "Title": "Unauthorized",
    "Status": 401,
    "Detail": "AuthorizationUnsuccessful",
    "Instance": "instance_id_here",
    "Extensions": {}
}

Xero Laravel:

There is a predefined relation called attachments and when I call $invoice->attachments I am getting the exception from the first paragraph above... However I call $invoice meaning I have the data to the Invoice and there is no Auth problem, but the problem occurs when trying to access the attachment...

Is there anything I am missing from the Xero Account setup (permissions or sth) or the issue is on my side?

score 2 · Answer 1 · answered May 14 '20 at 12:54

2

Sounds like you may be missing some scopes during your authentication step.

If you want to read attachment data, you'll need to request the 'accounting.attachments.read' scope. If you also want to create/update attachments, you should request the 'accounting.attachments' scope instead.

answered May 14 '20 at 12:54

MJMortimer

865
5
10

Yes! Thank you! I thought that the Attachment read is permitted I added these and it's working. Perhaps it'll work without .read appending too. – Momondo May 14 '20 at 13:16

score -1 · Answer 2 · answered Jul 22 '22 at 11:05

-1

Also,enter image description here you need to pass the "Xero-tenant-id" field in the header as per the below screenshot

answered Jul 22 '22 at 11:05

user3115889

9

This does not provide an answer to the question. Once you have sufficient [reputation](https://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](https://stackoverflow.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/32309400) – hcphoon Jul 27 '22 at 12:14

XeroAPI - Invoice Attachment access forbidden

2 Answers2