Missing or Invalid Scope for requested endpoint

(John) #1


I am running into this issue when I request an account’s funding sources (GET https://api.dwolla.com/accounts/{id}/funding-sources). I have the account ID, and when the account was set-up I requested the Send / Funding / Account Info Full scopes, so I am surprised by this error.

My plan is to get customer 1’s funding source using the Account ID, and then to enact a transfer from that customer 1’s funding source to customer 2’s Account ID.

Thanks for your help.

(John) #2

Also, my headers are:

‘Content-Type’: ‘application/json’,
‘Accept’: ‘application/vnd.dwolla.v1.hal+json’,
‘Authorization’: 'Bearer ’ + Application Access Token

And I am using the sandbox, and making the request to https://api-sandbox.dwolla.com

(Spencer Hunter) #3

Hi @GME, If you’re looking to fetch an account’s list of funding sources then you’ll need an account access token and not an application access token. The only exception for when you can use an application access token is if you’re integrating with our Access API.

To obtain an account access token, you’ll send a user through the OAuth flow.

(John) #4

Hi Spencer,

Thanks for the reply – that is very helpful.

I am running into a separate issue in acquiring the account access tokens. When a user first signs up for Dwolla through my app, I get their account ID and refresh token.

When I use this refresh token to get that user’s account access token, I get the error "Access Denied; Invalid refresh token, even though the refresh token is brand new and has not expired.

Do you have any ideas about what may be causing this? The full request is below:

http.get(’/oauth/v2/token?client_id=’ + clientId + ‘&client_secret=’ + clientSecret + ‘&grant_type=refresh_token&refresh_token=’ + refreshToken , {}, {
headers: {
‘Content-Type’: ‘application/x-www-form-urlencoded’,
‘Accept’: ‘application/vnd.dwolla.v1.hal+json’,
‘Authorization’: 'Bearer ’ + applicationAccessToken

(John) #5

The base url is ‘https://sandbox.dwolla.com/

(Spencer Hunter) #6

Hi @GME, The API call to exchange a refresh token for a new access token and refresh token pair should be a POST and not a GET. Are you using the ‘http’ library in node.js and is the request coming from your backend server?

(John) #7

Great, thank you, that was it!

I am using axios (with node.js) and the request is coming from my back-end server.

I have another question, if you don’t mind. In all likelihood, you will be able to spot the issue that I am completely overlooking here, but I can’t seem to get the request for an account’s funding sources to go through. It returns with a 401, Missing or Invalid Authorization header.

I get the account access token just prior to making the below request, so it has not expired.

http.get(’/accounts/’ + accountId + ‘/funding-sources’, {}, {
headers: {
‘Content-Type’: ‘application/json’,
‘Accept’: ‘application/vnd.dwolla.v1.hal+json’,
‘Authorization’: 'Bearer ’ + accountAccessToken

The base url is ‘https://api-sandbox.dwolla.com/

(John) #8

Any ideas on this? The headers look correct.

(Spencer Hunter) #9

@GME, I am not able to spot anything at first glance. I am wondering if you’re passing in the correct OAuth access token which belongs to the user account that you’re attempting to fetch funding sources for. It does look like you’re refreshing a token for a different account while you’re calling the API to make this request.

(John) #10

I am still having issues with this.

Console.logs confirm that I receive the OAuth access token that belongs to the correct user account.

Could this have anything to do with being in the sandbox vs production environment?

(John) #11

The above issue turned out to be a config issue with axios.

Now I am trying to enact a transfer between two customers, but I am getting the error “Receiver cannot receive from sender”.

I am sending from a funding source (associate with an account that has all scopes enabled) to an account (which also has all scopes enables).

Source URI = ‘https://api-sandbox.dwolla.com/funding-sources/’ + fundingSourceId

Destination URI = ‘https://api-sandbox.dwolla.com/accounts/’ + recipientAccountId

Do you have any ideas about what could be causing this?

Thanks again.

(John) #12

Nevermind, you can ignore the above post. I needed at least one participant to have a CIP transfer account.

I have noticed that the sandbox does not simulate the CIP transfer account sign-up process. Once you type in your email/password and business name, it prompts the user to allow the requested scopes, and then that’s it. No setting up a funding source, or providing SSN, etc.

Also, the CIP account requires a business name. What if I would like to facilitate transactions between two individuals? Could they put their full name as their “business name” ?

(Spencer Hunter) #13

@GME, You should be able to set up a CIP transfer account in the Sandbox, however the UX is slightly different from Sandbox to production. Reference my reply in the thread below:

(Cory Anderson) #14

(Cory Anderson) #15