I have tried the endpoints to get projects and users with a three legged token, and in both cases I get a 403 with a response body that looks like:
{ "code": 1003, "message": "Only support 2 legged access token." }
This seems unequivocal, but doesn't seem to be consistent with the API documentation. Is access really only available using a 2 legged token or have I missed something?
Just to be clear, the endpoints I'm playing with are:
GET https://developer.api.autodesk.com/hq/v1/accounts/:account_id/projects
and
GET https://developer.api.autodesk.com/hq/v1/accounts/:account_id/users
The documentation states "Must be Bearer , where is obtained via OAuth", but there is no mention that only two legged authentication tokens are supported.
Yes, they are BIM360 HQ APIs (well known as Account Admin APIs), part of BIM360 API as I mentioned in the comment above.
Unfortunately, Account Admin APIs only allow access with 2 legged access token now. In contrast, other APIs like Issues, RFIs, and Checklists support 3 legged access token and 3 legged access token with the uid.
Note:
user context required in the Authentication Context of the documentation means that it requires acting with a 3-legged OAuth token or a 2-legged OAuth token with user impersonation.app only means that it supports 2-legged OAuth token only.