403 forbidden post batch_id

[altairdeark]

Access Forbidden

Can not get batch ID throw api, response code is 403. Due some investigation, we found this ticket: https://github.com/sendgrid/sendgrid-csharp/issues/185. However it was not helpfull, since we have only one account and we pretty sure we use admin account.

Steps to Reproduce

$sendGrid = $this->getNewSendGrid();
$response = $sendGrid->client->mail()->batch()->post();

class SendGrid\Response#98 (3) {
  public $_status_code =>
  int(403)
  public $_body =>
  string(56) "{"errors":[{"field":null,"message":"access forbidden"}]}"
  public $_headers =>
  string(648) "HTTP/1.1 403 FORBIDDEN
Server: nginx
Date: Thu, 14 Jul 2016 03:37:02 GMT
Content-Type: application/json
Content-Length: 56
Connection: keep-alive
Access-Control-Allow-Methods: POST, OPTIONS
Access-Control-Max-Age: 21600
Access-Control-Expose-Headers: Link
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: AUTHORIZATION, Content-Type, On-behalf-of, x-sg-elas-acl
Content-Security-Policy: default-src https://api.sendgrid.com; frame-src 'none'; object-src 'none'
X-Content-Type-Options: nos"...
}

Technical details:

• sendgrid-php Version: master (latest commit: [commit number])
• PHP Version: 5.x

[thinkingserious]

Hi @altairdeark,

Our support team can help with this issue: https://support.sendgrid.com

Thanks!

[gsusI]

I have a API key with all the possible permissions and I got "access frobidden" when posting to the endpoint "mail/batch". I'm using CURL.

I haven't found an answer in the documentation/support forum

[thinkingserious]

@gsusI,

Please open up a ticket with https://support.sendgrid.com. They will be able to dig deeper into your account and figure out what is going on with your key.

[gsusI]

Request #716584

[gsusI]

The issue for me seems to be that not all the permissions allowed can be managed through the UI.

[oytuntez]

We encountered this as well. It looks like a systematic problem, rather than case-specific.

[thinkingserious]

@oytuntez,

Can you also submit a support ticket?

[oytuntez]

Did that as well, thank you.

---

Oytun Tez

M O T A W O R D - The World's Fastest Human Translation Platform. J S O N - L A N G - JSON specification for localization file exchange. I AM A FACT - Entrepreneurification!

On Thu, Jul 28, 2016 at 5:55 PM, Elmer Thomas notifications@github.com wrote:

@oytuntez https://github.com/oytuntez,

Can you also submit a support ticket?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/sendgrid/sendgrid-php/issues/263#issuecomment-236037133, or mute the thread https://github.com/notifications/unsubscribe-auth/AAoE--SxldtGtya7xai0fAbr32exJwEdks5qaSVFgaJpZM4JMFXp .

[oytuntez]

I have to publicize this, because I don't understand why 1) this is not documented, 2) we are being redirected to Support even though this is probably a known defect.

Here is the support response:

Hi,

Thank you for contacting us.

Unfortunately, when creating an API key from Sendgrid UI it doesn't have all the detailed permissions. The required scope of this call is not an automatic one, so it needs to be added via an API call. I recommend you to create a new API key via API V3 with Basic Authentication and add more permissions to it. You can also update an already created API key.

Create API Key: POST https://api.sendgrid.com/v3/api_keys Update API Key: PUT https://api.sendgrid.com/v3/api_keys/{api_key_id}

Here you can find more API calls related to API Key and also all the permissions that you add to it:

API key Post Update Permisions

Please note that you can't add General permissions and Billing Permissions to the same API key.

Please let me know if it helps and if I can help you with anything else.

Best regards,

[gmhawash]

I cannot find any information about using Basic Auth to authenticate. As far as I can tell, the v3 API only accepts api_key for authentication. Could you point me to an example of how to use Basic Auth.

[thinkingserious]

@gmhawash,

Yes, the v3 API only accepts an API Key for authentication.

Why do you need Basic Auth?

Are you having trouble with your API Key? If so, please reach out to https://support.sendgrid.com and they can help.

Thanks!

[gmhawash]

I want to create subusers and apikeys for them from the API.

My root/parent API Keys do not have the permission to create subusers or apikeys or to change permissions on the API key and there is no way to assign them in the UI.

So, I first need to give the parent API key these permissions, and in order to do so, I need to login with username/password using Basic Auth, change the API key permissions, and use the API key from that point forward.

[thinkingserious]

@gmhawash,

Please reach out to our support team at https://support.sendgrid.com. I'm hoping they can help you work through a solution that would fit your needs.

[gsusI]

API v3 does accept Basic Auth.

Basically you need to set a header with something like: "Authorization: Basic " . base64_encode("$username:$password")

Where $username & $password belong to the main user. Including that header you will be able to use the endpoint api_keys/ to set the permissions

[gsusI]

And @oytuntez is very right, it should be documented properly to avoid this thread (and its duplicates) to keep growing.

[thinkingserious]

Thanks for the feedback @gsusI, I will put in a request with our documentation team.

[gmhawash]

I would take it a bit further and rather than having to force the header for basic auth, make Basic Auth authentication as a first class citizen (like API key), and allow for passing in username and password combo or an api_key.

[sohaibshaheen]

@gsusI Thanks a lot for saving my time. Sendgrid's documentation is definitely flawed.

[papaben]

In an effort to be helpful, here's what I just learned from connecting the dots across several SendGrid documentation pages, the most helpeful of which was this one.

1. Update my API key permissions
   1. NOTE: This can only be done via the API. It is not possible to do this through the web app.
   2. NOTE: This is not a PATCH request, but rather a PUT. This meant, I needed to first GET the existing scopes and then append the new ones. Otherwise, it overwrites all the existing scopes. Side note: whoa! It would be nice to support PATCH here, or make the dangerzone more clear in the docs.
   3. NOTE: This must be done with your username and password. It cannot be done using an API auth key. Username and password are passed as a base64 encoded string in the header.
      1. Get the base64 encoding: echo -n "<username>:<password>" | openssl base64
      2. Now you can send it in your header like this, curl -H "Authorization: $base64creds"
   4. NOTE: You must send the name of the API key, even if it already has one.
   5. Copy the batch scope permissions and include them in your PUT web request to /v3/api_keys/<your key>
   6. Finally, you're ready to make the web request to update your API key's scope.
      1. Your full API key is a three part value separated by dots. The {your_api_key} value is the second part. I.e. do not use the name and do not send the entire key value.
2. Now you can finally make the web request to generate a batch id!
   1. See an example on the curl examples page

[ewirch]

@papaben I guess you meant to write "it overwrites all the existing scopes" instead of "it overwrites all the existing keys", didn't you?

[queenvictoria]

Anyone coming here because of the 403: FORBIDDEN error when creating a batch ID using the client.request method should know that (as of 2021) you can set teh required permissions in the UI.

Mail Send > Scheduled Sends https://app.sendgrid.com/settings/api_keys