If you are developing native integrations between your product and Sage Intacct, you may encounter the "401 Unauthorized" error message. This error typically occurs when the authentication credentials provided for the request are either invalid or have expired.
In this article, we will explore the possible causes of this error and provide solutions to help you resolve it.
Potential Causes of the Sage 401 Unauthorized
1. Expired Access Tokens
Access tokens have a limited lifespan and must be refreshed periodically. If the access token used in an API request has expired, a 401 error will occur. To resolve this error, you must refresh the access tokens by sending a new authentication request and receiving a new set of access and refresh tokens.
Resolution to “Expired Access Tokens”
To fix the error caused by expired access tokens, you need to refresh the tokens. You can do this by sending a new authentication request and receiving a new set of access and refresh tokens. Here's a sample code snippet that shows how to refresh access tokens in Python.
This code uses the Python Requests library to authenticate with Sage Intacct API by sending a request with a refresh token, client ID, and client secret. Then you will receive new access and refresh tokens for subsequent API requests.
Here is an example response you will get.
2. Revoked or Invalid Access token
This indicates that the access token is no longer valid or has been terminated by the API service. This can happen for various reasons, such as the user revoking access, the token expiring, or the user changing their password. When an application attempts to use an invalid or revoked access token, it will typically receive an error message, such as "Invalid Access Token" or "Revoked Access Token," indicating that it is unable to carry out the requested action.
Resolutions for the "Invalid or Revoked Access Token" error
If the error is due to an invalid or revoked access token, you must follow the same steps as for a token that has expired (above) to obtain a new one.
3. Invalid Credentials
Invalid credentials typically refer to incorrect or expired authentication credentials used to obtain an access token. This could include an incorrect username or password, an expired authorization code or refresh token, or an incorrect client id or client secret. Invalid credentials will result in a failed authentication attempt and the inability to obtain a valid access token, which will prevent the user from accessing protected resources or making API calls.
Resolutions for the "Invalid Credentials"
Verify that the client ID and secret you are using are accurate by consulting the Sage Intacct Developer Console. If not, reset your password or get help from Sage Intacct customer support.
4. Insufficient permissions
Insufficient permissions refer to the situation where the user or application trying to access a particular resource or perform a specific action doesn't have the necessary permissions to do so. This could be because the user doesn't have the required role or permission level, or because the application wasn't authorized to perform the action.
The type of permissions required in Sage Intacct depends on what you're trying to do. Common types of permissions include role-based, object-based, action-based, and company-based permissions. To access the API Endpoints such as the access token endpoint, the application must be authorized by an administrator and have the appropriate permissions assigned to it. If a user is not sure of which permissions are required, they can check the software's documentation or speak with an administrator.
Resolutions for the "Insufficient permissions"
Ensure that the user associated with the access token has the necessary permissions to perform the desired action. If they do not have the required permissions, you may need to adjust their role or permission level or seek assistance from Sage Intacct support.
Fully managed Sage Intacct auth
Access/refresh token management is handled by Paragon's authentication layer for any 3rd party SaaS integration you need to build, so you can focus on implementing your integration logic instead of fixing errors such as the Sage [.inline-code-highlight]401 Unauthorized[.inline-code-highlight] error.
With a single [.inline-code-highlight]paragon.connect('salesforce');[.inline-code-highlight] call, the Paragon SDK will handle the entire authorization flow and refreshes tokens on behalf of your customers.