The api call at create-access-request | SailPoint Developer Community lists the scope required as idn:access-request:create, this scope is not available to assign to clients. Is it just missing from the list (bug), or is the wrong scope documented?
It is the same for PAT so I assume since the :manage has create under it, that is the correct scope, but I agree the doc should have “idn:access-request:manage” instead.
Thanks for pointing this out @ethompson. idn:access-request:manage is the correct scope for giving create privileges to tokens. I have created a documentation ticket to fix this.