I would like to be able to use the Patreon API to check whether a given user has pledged to my creator’s account.
This twist is this: By default, when a user grants my client access with oauth, the default scopes are:
users pledges-to-me my-campaign
I want to be able to retrieve a user’s pledge data with a token that has scope limited to only
pledges-to-me
I am using curl to test the Patreon API. Once I have a user’s access token (with all scopes granted), I can successfully retrieve user data with the following curl command:
curl -X GET -H "Authorization: Bearer Qc...PQ" https://www.patreon.com/api/oauth2/api/current_user
However, If I use the same command with a pledges-to-me scoped token, I get this response:
{ "errors": [ { "code": null, "code_name": "OAuthClientViewForbidden", "detail": "You do not have permission to view OAuth Client with id [MY_CREATOR_CLIENT_ID].", "id": "[Guid - don't know what this is.]", "status": "403", "title": "You do not have permission to view this OAuth Client." } ] }
This is different from the response I get if I use a faulty/expired token:
{ "errors": [ { "code": 1, "code_name": "Unauthorized", "detail": "The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required.", "id": "[Guid - don't know what this is]", "status": "401", "title": "Unauthorized" } ] }
So I suspect that I do have permissions to read from the user, but I am not formatting the request properly. Maybe I need to limit it to only pledge relationships somehow?
(Using APIv1.)