My API account has Employee:All Permissions, but 403 Errors?

gregaricangregarican Member Posts: 466 
edited December 2019 in Development

For the past couple of years I've had a program that pulls Lightspeed Retail sales, refunds, stock, etc. via the API. Works just fine. Up until 12/7/2019.

My API account appears to have full access to the Lightspeed Retail shop, but when I try to pull data I'm getting 403 errors. I'll post some API request/response pairs below.

One thing I did notice is that the Lightspeed Retail user account that I OAuth'ed the API account with has had its own permissions changed. No access to Settings, no access to Reports, etc. Would that in turn affect the API account permissions, even with the API account's scope being Employee:All?


POST https://cloud.merchantos.com/oauth/access_token.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cloud.merchantos.com

Content-Length: 233

Expect: 100-continue


client_id={myClientId}&client_secret={myClientSecret}&refresh_token={myRefreshToken}&grant_type=refresh_token

HTTP/1.1 200 OK

Date: Mon, 09 Dec 2019 13:34:40 GMT

Content-Type: application/json

Content-Length: 181

Connection: keep-alive

Set-Cookie: __cfduid=d24ba65fff13e2219dde23e515c3599ea1575898479; expires=Wed, 08-Jan-20 13:34:39 GMT; path=/; domain=.merchantos.com; HttpOnly; Secure

x-frame-options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

Cache-Control: no-store

Pragma: no-cache

CF-Cache-Status: DYNAMIC

Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"

Server: cloudflare

CF-RAY: 54275b9ad990e1be-ORD


{"access_token":"{myAccessToken}","expires_in":1737,"token_type":"bearer","scope":"employee:all","refresh_token":"{myRefreshToken}"}


------------------------------------------------------------------


GET https://us.merchantos.com/API/Account/{myAccountId}/VendorReturn.json?limit=100&timeStamp=%3E%3C%2C2019-12-06T23:59:59-04:00%2C2019-12-07T23:59:59-04:00&offset=0 HTTP/1.1

Authorization: Bearer {myAuthorization}

Host: us.merchantos.com



HTTP/1.1 403 Forbidden

Date: Mon, 09 Dec 2019 13:34:40 GMT

Content-Type: application/json

Connection: keep-alive

Set-Cookie: __cfduid=db032b4116fb089b23833fb2db5726f981575898480; expires=Wed, 08-Jan-20 13:34:40 GMT; path=/; domain=.merchantos.com; HttpOnly; Secure

x-frame-options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

X-LS-Acct-Id: 164019

X-LS-OAuth-Client-Id: 64577

X-LS-API-Bucket-Level: 1/100

X-LS-Shard-Id: 18

X-LS-API-Drip-Rate: 5

X-LS-Master-System: false

X-LS-Master-Account: false

X-LS-Master-Catalog: false

Vary: Accept-Encoding

CF-Cache-Status: DYNAMIC

Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"

Server: cloudflare

CF-RAY: 54275b9f6a8d9db3-ORD

Content-Length: 158


{"httpCode":"403","httpMessage":"Forbidden","message":"Not Authorized: Insufficient rights to perform the request","errorClass":"InsufficientRightsException"}


------------------------------------------------------------------

Post edited by gregarican on

4 comments

  • LeahLeah Moderator, Lightspeed Staff Posts: 187 moderator

    Hi @gregarican the issue is indeed that the employee rights have changed. Your client only has as much authorization as the user that authorized it. Employee:All signifies all the permissions granted to the authorizing employee. You can either request from the owner that the employee's permissions be increased to cover all of the areas where you need API access or else have a user with more permissions re-authorize your client on this shop.

    API Support
    Lightspeed HQ
  • gregaricangregarican Member Posts: 466 

    Gotcha. Makes sense. The shop owner without prior notice changed the user account permissions. If they change them back then I should be good, right? I won't have to go in and re-OAuth again will I?


    Thanks for the quick feedback!

  • LeahLeah Moderator, Lightspeed Staff Posts: 187 moderator

    As long as the owner is willing to change the permissions back on that employee, you won't need to redo the Oauth.

    API Support
    Lightspeed HQ
  • gregaricangregarican Member Posts: 466 

    That did the trick. Thanks for the quick help!

Sign In or Register to comment.