Action required - Platform Security Improvement

April 17, 2017


As part of our continual platform security improvements, we want to remind you that enforcement of the scopes requirement for all access tokens will begin on May 22, 2017.

What’s important to know:

  • If you currently have an app registered on the Forge Developer Portal that you created before June 15, 2016, it is currently grandfathered-in and enjoying a grace period that allows it to skip enforcement of scopes on any access tokens it generates.
  • Before May 22, you must update your code so that any access tokens generated by your app request scopes. If you do not, your app will break.
  • This grace period will end on May 22, 2017. Learn more in OAuth documentation.
  • Apps registered after June 15, 2016 already require scopes. No action is required for these.


What are Scopes?

The Forge APIs include more advanced user data protection with the introduction of bearer tokens to gain access to restricted resources and scopes to define levels of access.

A scope is a permission that is set on a token setting the context in which that token may act. For example a token with the data:read scope is permitted to read data within the Forge ecosystem and can be used on those endpoints that require that scope. Tokens without that scope would be denied access to such endpoints.  Similarly, calls to endpoints that require higher privileges than data:read (such as data:write) using a token with  only the data:read scope will be rejected. Please refer the OAuth documentation for more informaiton on scopes.

Thank you for your prompt attention.  Please forward this notice to anyone else you believe might be affected by this. Don’t hesitate to ask for help if you’re having trouble implementing scopes in your code.

Posts by author

Stephen Preston has been with Autodesk since 2000, focusing on providing programming support, consulting, training and evangelism to external developers.