403 Forbidden error using app PAT

We have an Asana App to which users OAuth. Later on we can use our App’s PAT to get details of OAuth user’s projects and tasks becuase they granted our app the permission to do so. But when we make an API call to get for example a user’s list of projects we get a Forbidden request response.

    "errors": [
            "message": "You do not have access to this project.",
            "help": "For more information on API status codes and how to handle them, read the docs on errors: https://asana.com/developers/documentation/getting-started/errors"

We are using asana connect for oauth

Do you stock some data in cache locally, and share that cache with multiple users if they can access the same task?
If so, it can happen.
Example, user 1 have access to projets A and B.
User 2 have access to projet B only.
One task is in project A and B at the same time.
If user 1 query the task, it will see that its membership is on both projects.
If user 2 query the same task, it will only see membership of project B.

So if user 1 download and stock cached data for that task, including info of project A, when user 2 uses that cached copy of the task, he doesn’t have access to get informations for project name or any other informations about project A.

No we don’t cache anything.

Does our account has to be a premium account ?

If I’m correctly understanding the scenario you’re describing, I don’t think that design is going to work.

A PAT (Personal Access Token) only provides access to the data within the account of the user that created the PAT. When you say “our app’s PAT”, what does that mean? An app can’t have a PAT, only an Asana user can.

If your users are using OAuth to authenticate, then why aren’t you using the OAuth tokens your app gets from their authentication to access their data? That’s the normal way you’d do an OAuth-based integration.

1 Like

When you say “our app’s PAT”, what does that mean?
It means PAT of the user who is the owner of the app and the PAT. I though PAT is at the app level , but now I understand it belongs to a user.

Indeed, there is no owner of the app. Even though there is an admin, I don’t believe he/she has access to everything, so that won’t be a “master key”.