3

On the TapKey Integrator Portal I have a Client Credentials OAuth client, which I created after logging into my owner account.

I can use this to successfully authenticate against https://login.tapkey.com/connect/token with the following scopes:

write:ip:users read:ip:users read:owneraccounts write:owneraccounts read:core:entities write:core:entities read:grants write:grants

However, when I try and call GET https://my.tapkey.com/api/v1/Owners/{my-owner-id}/BoundLocks using the bearer token returned from the connect/token endpoint, I am getting a 403 back.

The locks are owned by the same account I logged into the Integrator portal and created the OAuth client with.

What am I doing wrong?

Thanks

JMK
  • 27,273
  • 52
  • 163
  • 280

1 Answers1

3

First thing to check in this case is, if the Client Credentials client has administrator rights to the owner account.

As you most likely know, this client acts as its own user and the user identified with an email address in format {oauth_client_id}@iam.serviceaccount.tapkey.com must be added as a co-administrator of the desired owner account.

The option to do this automatically is available when you are creating such OAuth client (as a checkbox), but can assigned manually later as well.

The reason for this not being done always automatically is, that the OAuth client doest not necesarrily need to manage the owner account it has been created in.

eduard
  • 408
  • 3
  • 13
  • Aha! I was clearing out smartphone users and must have deleted the administrator user by accident It could be useful to not have this listed alongside normal smartphone users – JMK Nov 10 '22 at 13:07