On the TapKey Integrator Portal I have a Client Credentials OAuth client, which I created after logging into my owner account.
I can use this to successfully authenticate against https://login.tapkey.com/connect/token with the following scopes:
write:ip:users read:ip:users read:owneraccounts write:owneraccounts read:core:entities write:core:entities read:grants write:grants
However, when I try and call GET https://my.tapkey.com/api/v1/Owners/{my-owner-id}/BoundLocks using the bearer token returned from the connect/token endpoint, I am getting a 403 back.
The locks are owned by the same account I logged into the Integrator portal and created the OAuth client with.
What am I doing wrong?
Thanks
First thing to check in this case is, if the Client Credentials client has administrator rights to the owner account.
As you most likely know, this client acts as its own user and the user identified with an email address in format {oauth_client_id}@iam.serviceaccount.tapkey.com must be added as a co-administrator of the desired owner account.
The option to do this automatically is available when you are creating such OAuth client (as a checkbox), but can assigned manually later as well.
The reason for this not being done always automatically is, that the OAuth client doest not necesarrily need to manage the owner account it has been created in.