How to sort out the complexity of scopes and permissions

Is there a document that describes exactly how to sort out scope errors on an API call? I read several posts, each with a slightly different issue across multiple types of APIs. Here is what I am encountering (and have encountered before and can’t remember how I solved it). This is specific to this API call but I need a “generic” set of instructions because I know I have run into this before on other API calls.

First, I do understand that there is an “intersection” of the account role you are assigned, the permissions on the role, the scopes requested on the API call and, I think the type of account(s) you hold (e.g. “Master” vs whatever). Those all have to be correct. We have two enterprise accounts (one as an ISV, I think). In the ISV account, I created a new user account and assigned it with an Admin role. I am attempting to call the Get Plan Usage API so I can get the number over overall licenses we have and how many are in use. I call it this way in Postman:
{{baseUrl}}/accounts/me/plans/usage (I also tried it with our account ID) When I call it with our account ID what I see is this error:

“message”: “Invalid access token, does not contain scopes: [billing:write:master, billing:read:master, billing:master].”

The scopes settings on the App are

And the role access in the user admin panel is:

I don’t see any other options I can check to add the permissions so they are reflected in the scopes as the error indicates.

So there is an issue here, but what is it? Is it an account issue? Is it a role issue? Permissions within the role? The issue is a wee bit frustrating because the error doesn’t say how to fix it yet I am sure that under the covers it knows what is wrong with my account and the call.

Is there a series of diagnostic steps I can take to determine where the problem actually lies? I don’t see anywhere where I could make a change and have it correct the scopes.



Hi @pete_h ,

I think the error codes are not always up to date with changes to the API so unfortunately, I cannot give a definitive answer on sorting the complexity of scopes and permissions, but I’ll not this as something we need to address.

From everything you’ve shared, it seems like you are calling the endpoint correctly and have things on the account/permission side set up properly.

What do you see when you call it with me?

Thanks Gianni,

So, I don’t know what the issue was/is but I used a completely different instance of Postman on a different development PC and it worked this time with “me”. There were some other oddities with the original Postman instance I was using which I thought I had ruled out by deleting the entire forked set of API calls and starting from scratch. But I have it working on this other development PC and I’ll see if I can retrace my steps and fix whatever was wrong with my main development environment.

I have one follow-up question for you though, regarding Postman and Zoom: If I have two completely different accounts, like a dev account and a production account, and I have two different development accounts for them, what would be the best practice of having both OAuth configs in the same Postman environment? What I’d like to do is run an API call with one set of OAuth credentials but then switch to running the same API call with different OAuth credentials. I tried forking the Easy OAuth 2 authorization with a different name and then having different variables with the ClientID and Secret used in the second instance but I couldn’t seem to get it to work. Is it possible to have two different OAuth credentials in Postman and switch between them (selecting a different Token_Name each time)?

Again, thanks for the help.


Glad the original issue is resolved! As for this, check out the workspace overview the attached tutorials. You would use the workspace variables feature to access use of development and production credentials :slight_smile: