Issue with API key authorisation

What problem are you observing?

When working with a global API key (from the API management), we’re unable to use the “/v3/auth-users/” end point, even if the key is granted “sp:scopes:all”.

What is the correct behavior?

We expect to have any global API key “sp:scopes:all” to have the exact same permissions as a PAT API key with “sp:scopes:all”

What product feature is this related to?

Any API call, but specifically noticed now in “/v3/auth-users/”

What are the steps to reproduce the issue?

Create a new API key in API management, and grant “sp:scopes:all”. Then run “/v3/auth-users/” (either a GET or a PATCH, with the proper body will do). You’ll get a http 403

Do you have any other information about your environment that may help?

None that is applicable here.

Hi Edwin,
I’ve just reported this as a bug as I have exactly the same issue.

I’m guessing this is a bug in the documentation vs. functionality. When running this API call with a user context (i.e. PAT), then it works as expected.

Agree, but as you provide the user ID in the call there is actually no reason why user context would be needed.

There’s a difference in the token content between a PAT and an API token. If you take each token and pass it through a token parser (i.e. https://jwt.io/) you’ll see the differences. The PAT based token contains a user context that is required for some of the API’s.