Hello!
I’ve encountered a problem with the invite feature. I would like to create a stream on our site and add people to it later. I’m using graphql for this, and it creates the stream without any issues, but every time I try to add someone, I get a message that I don’t have the necessary permissions.
Could anyone help?
Hey @Gircsi117
We’ll need some more context to understand what’s going on. Are you self-hosting or running these against Speckle on the cloud? If you’re self-hosting - what speckle server version is it and have you made any modifications to it yourself? Also - can you please post the actual error response body? And how did you create SPECKLE_MAIN_KEY - is it a personal access token? What kind of scopes did you give it access to?
Judging by the screenshot I can already see a problem, however - you’re passing in your token in the Authorization header without the ‘Bearer’ prefix (I presume). The header value has to be Bearer {TOKEN} not just {TOKEN}
Regards,
Fabians
Hey @fabians
We host it on the Speckle server.
The SPECKLE_MAIN_TOKEN is an access token generated on the Speckle site that has all the necessary permissions.
The error message we’re getting is.
The header is accepted without any issues elsewhere using this method, for example, fetching data, creating and deleting streams.
In this case, for example, it works flawlessly:
@Gircsi117
streamInviteCreate requires a scope that you don’t have, so it doesn’t have all of the necessary permissions
@fabians
I don’t fully understand how I could augment my own request based on the example you provided.
@Gircsi117 My screenshot is not an example of a GQL query, but the definition of our GQL schema. It shows that you need the “users:invite” scope for your token to be able to invoke the streamInviteCreate mutation.
Judging by the screenshot you posted in your previous reply, your token does not have such a scope. After consulting with the team, I’ve come to understand that the “users:invite” scope is allowed for first party apps only to discourage people from programmatically spamming invite creation.
