OAuth token with tasks:write scope fails to create stories/comments - works with PAT

English Forum Developers & API
1

I’m experiencing a 403 “missing scope” error when creating stories (comments) on tasks via the API using an OAuth token, but the same operation succeeds with a Personal Access Token.

Setup:

  • Endpoint: POST /tasks/{task_gid}/stories
  • Request body: {“data”:{“text”:“comment text”}}
  • OAuth token scopes: default projects:read custom_fields:read project_sections:read workspaces:read tasks:read tasks:write attachments:read stories:read users:read attachments:write projects:write identity
{
  "errors": [{
    "message": "One of the following scopes must be present to fulfill this request: ",
    "help": "For more information on API status codes and how to handle them, read the docs on errors: https://developers.asana.com/docs/errors"
  }]
}

The exact same API call on the same task succeeds when using a Personal Access Token for the same user account.

Is tasks:write insufficient for creating stories via OAuth apps? The documentation suggests it should work, and the fact that PATs work indicates the underlying permissions exist.

Is this a known limitation or am I missing something?

Any guidance would be appreciated!

2

This actually makes sense to me, because:

  • stories are a different object from tasks, so any scope involving tasks will be irrelevant to any endpoints involving stories;
  • as is says in the docs, scopes are in preview and are a work in progress - they are currently incomplete and being built out as we speak;
  • specifically, there are read scopes on stories but are not yet write scopes on them
  • until they get around to adding write scopes for stories, you’ll need to use the Full Permissions toggle to write a story

PATs don’t support scopes (not sure if they will in the future or not), so it makes sense that operations using a PAT will have whatever full access the user’s account has that created the PAT.

Note: the above is my best understanding; cc’ing @Andrew-asana @Bill_Hewitt to confirm (or correct) what I wrote here.

1 Like
3

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.