16

The following API request: 

curl --request GET \
     --url https://api.sendgrid.com/v3/user/profile \
     --header 'Authorization: Bearer API KEY'\
     --header 'Content-Type: application/json'

From the docs: https://sendgrid.com/docs/API_Reference/Web_API_v3/user.html

Results in a HTTP 403 response with the following body:

{"errors":[{"field":null,"message":"access forbidden"}]}

I went to Settings -> API Keys and clicked on 'Edit details' to view the permissions granted to my API key and, as far as I can tell, there isn't any permission that I can grant (or revoke) that seems related to 'user profile'.

Just to be on the safe side, I have configured every single permission to 'Full Access' (when available) or to 'Read Access' if 'full access' is not available but I am still getting this HTTP 403 error.

What is the permission I need to grant to my API key in order to be able to retrieve my user profile?

Shiju Augustine
  • 265
  • 1
  • 4
  • 11
  • What are you using for the value of 'API KEY' in the Authorization header? Does it start with 'SG.'? Just want to make sure you are using the API KEY and not the API KEY ID. See here: http://stackoverflow.com/questions/34789622/send-grid-seems-to-be-preventing-my-node-js-server-sending-emails/34798357#34798357 – Justin Steele Aug 01 '16 at 14:55
  • I'm sure I have used the API key displayed at the time the Key was generated first time .But i got the same error {"errors":[{"field":null,"message":"access forbidden"}]} – Shiju Augustine Aug 02 '16 at 03:59

11 Answers11

26

Legacy API doesn't work. Use new API

I don't know if it resolve to someone, but I tried to add a contact to sendgrid using this doc getting {"errors":[{"field":null,"message":"access forbidden"}]}:

https://sendgrid.com/docs/API_Reference/Web_API_v3/Marketing_Campaigns/contactdb.html#Add-Single-Recipient-POST

POST POST https://api.sendgrid.com/v3/contactdb/recipients HTTP/1.1

After search a bit more I noted a new documentation (same version API v3) but with very different API methods:

https://sendgrid.api-docs.io/v3.0/contacts/add-or-update-a-contact

PUT https://api.sendgrid.com/v3/marketing/contacts
user3640687
  • 55
  • 7
molavec
  • 8,848
  • 1
  • 27
  • 22
  • 2
    Yes, there's a legacy API and a new API for Marketing Campaigns. The legacy API doesn't work with new accounts, you get the "Access denied" error. You have to use the new Marketing Campaigns API. – Marius Stănescu Jan 17 '20 at 08:05
  • 2
    This helped me a lot. To anyone from SendGrid - it is frustrating that the API docs document the old API surface. – Neeraj Kashyap May 01 '20 at 19:28
  • Thanks for helping. This is what I was looking for. – hamzaali May 17 '20 at 01:26
  • Thanks Marius! Left a working solution for the sendgrid node client that works in 2021 below thanks to you (would have posted here but can't format). – Niko Dunk Feb 17 '21 at 20:14
11

I dug into this and tried various things out myself.

You can't set the permissions for this to work via the website UI. You must make API calls to set the permission.

https://sendgrid.com/docs/API_Reference/Web_API_v3/API_Keys/api_key_permissions_list.html#User-Settings shows a list of all the possible permissions/scopes for user settings.

https://sendgrid.com/docs/API_Reference/Web_API_v3/API_Keys/index.html#Update-the-name-amp-scopes-of-an-API-Key-PUT explains how to add scopes to your API Key.

ADDED: So this is more convoluted than that. You can't use an API Key to modify an API Key unless that key already has permissions/scope to "api_keys.update". This means you find yourself in a catch 22. Instead of using the "Authroization: Bearer {API_KEY}" authorization header you need to make the first call to update an API Key to have that scope using a basic authorization header like "Authorization: Basic {base64Encoded("username:password")}". Quite convoluted and a pain to deal with right now. Sounds like they are coming out with an updated UI hopefully in a few weeks so we all can avoid this little catch 22 in the future.

Justin Steele
  • 2,230
  • 13
  • 16
  • Also note that this solution, using Basic authorization, will soon no longer work since Sendgrid is getting rid of Basic authorization. – Justin Steele Oct 14 '20 at 16:40
5

This error is also caused due to insufficient permissions for api key.

https://sendgrid.com/docs/API_Reference/Web_API_v3/API_Keys/api_key_permissions_list.html#User-Settings

In order to use with api key just : 

Go to Settings > Api keys > Edit Api Key > User Account

Viola! works like a charm with API Key as Auth.

curl --request GET \
 --url https://api.sendgrid.com/v3/user/profile \
 --header 'Authorization: Bearer API KEY'\
 --header 'Content-Type: application/json'

Hope this helps :)

Maverick1604
  • 331
  • 3
  • 14
2

Based on my own testing (can't find anything official) it looks like the free version for SendGrid Email only allow sending emails through the API. In order to make any other types of call through the API, you will need to upgrade your account to a paid one.

Khurram Tahir
  • 21
  • 2
  • 1
    Could you provide source or evidence of this? – Paradox Jul 05 '19 at 20:24
  • Just my own testing..I tried with 2 different accounts. One paid and one free. Paid one worked fine with exact same call, free one didn't. Free account worked for sending email but not for other types of calls. – Khurram Tahir Jul 05 '19 at 20:57
  • I had upvoted this answer but I noticed the fact was totally different after seeing another answer. (Apparently I cannot cancel the upvote because of specification of StackOverflow) Once permissions for an api key are well configured, it will work even if it's free plan. – harukaeru Oct 17 '19 at 04:55
  • I believe you are right based on the sendgrid guy answer here: https://github.com/sendgrid/sendgrid-csharp/issues/689 – user3613026 May 11 '20 at 19:43
2

I just meet this issue, and I here is my solution: You need to create the Auth Sender: https://app.sendgrid.com/settings/sender_auth For testing, just create a simple Single Sender Verification, for productions, you should create a account base on your domain. I use free version and I can send my email after fix this. Notice that, email can go to Spam inbox.

Lê Văn Hiếu
  • 171
  • 1
  • 6
1

The problem still persists and I shall say their documentation still doesn't fully address it. I tried modifying the key, added all the possible user profile scopes, but I still couldn't get my profile info until I tried to simply call it with the basic authentication and voila!

And since that call doesn't have any mentions of API key in it you don't have to assign any scope at all. 

curl -X GET \
  https://api.sendgrid.com/v3/user/account \
  -H 'Authorization: Basic base64encoded(username:password)'
Andrey Stukalin
  • 5,328
  • 2
  • 31
  • 50
  • General note - if you have 2FA enabled on your account, this method won't work. – k3davis Jan 23 '20 at 19:24
  • Good way, you could also simulate a HTTP Post with the parameters which will get you a slightly better level of security (using api key). I find it scary that people send api keys over HTTP Get! – Timothy C. Quinn Sep 03 '20 at 17:59
1

If like me you got here from the node library docs, as Marius said above your 2021 account won't work with the old api listed in the node client library. Use the node client, but with the new api here: https://sendgrid.api-docs.io/v3.0/contacts/add-or-update-a-contact

so works in 2021:

const client = require('@sendgrid/client');
client.setApiKey(sendgrid_api_key)

const uploadRequest = {
        body: {
          list_ids: [listId],
          contacts: [
          {
            email: email,
            first_name: firstName
          }
        ]},
        method: 'PUT',
        url: '/v3/marketing/contacts'
      }
const uploadResponse = await client.request(uploadRequest)

Sendgrid may take Paypal's crown for most inconsistent documentation at this rate :)

Niko Dunk
  • 448
  • 6
  • 11
0

As mentioned by Khurram Tahir, this is NOT related to the free version. In order to meet legitimate sending behavior and reputation, SendGrid require us to verify our sender identifiers (i.e) the "From" email address.

Please refer the below document which lists the verification steps clearly. https://sendgrid.com/docs/ui/sending-email/sender-verification/

I also faced the (403 access forbidden) issue, i have followed the above steps which resolved my issue and able to send email.

Thamizh
  • 29
  • 6
0

To any wayward Googlers that find this...I believe as of November 2020 Sendgrid fixed the initial permission error...so new api keys should have the correct permissions. However...some api calls will still report a "Access forbidden" error even if that is NOT the issue.

For example take this query:

curl --request POST --url https://api.sendgrid.com/v3/categories/stats --header 'Authorization: Bearer secretapikey' --header 'Content-Type: application/json' --data '{"start_date": "2015-01-01","categories": ['Email 123']}'

That fails with access forbidden..even though your api key DOES have permission to use this. Instead the issue is that Sendgrid needs you to use GET instead of POST for some requests (stupid)...and the url parameters must be urlencoded. The following does work correctly.

curl --request GET --url 'https://api.sendgrid.com/v3/categories/stats?start_date=2019-01-01&categories=Email%20123&aggregated_by=month' --header 'Authorization: Bearer secretapikey' --header 'Content-Type: application/json'

If in the documentation (eg https://sendgrid.com/docs/API_Reference/Web_API_v3/Stats/categories.html) you see the request using GET variables...chances are you'll need these for your CURL request as well.

user2662680
  • 677
  • 8
  • 16
0

For me, i tried to call POST /v3/marketing/contacts but seems that this endpoint is for new marketing. Our company use legacy marketing to i have to use other endpoints

Hoang Viet Nguyen
  • 170
  • 1
  • 7
0

Make sure that your API Key permissions are set to Full Access, I had it set to Restricted Access and API for some endpoints was returning 403 status code, once I changed to Full Access it gave 200.

enter image description here

zygimantus
  • 3,649
  • 4
  • 39
  • 54