If you are developing native integrations between your product and Sage Intacct, you may encounter the "401 Unauthorized" error message. This error typically occurs when the authentication credentials provided for the request are either invalid or have expired.

In this article, we will explore the possible causes of this error and provide solutions to help you resolve it.

HTTP/1.1 401 Unauthorized
Content-Type: application/json
{
   "error": "invalid_grant"
}

Potential Causes of the Sage 401 Unauthorized

1. Expired Access Tokens

Access tokens have a limited lifespan and must be refreshed periodically. If the access token used in an API request has expired, a 401 error will occur. To resolve this error, you must refresh the access tokens by sending a new authentication request and receiving a new set of access and refresh tokens.

Resolution to “Expired Access Tokens”

To fix the error caused by expired access tokens, you need to refresh the tokens. You can do this by sending a new authentication request and receiving a new set of access and refresh tokens. Here's a sample code snippet that shows how to refresh access tokens in Python.

//Import Required Libraries

import requests
import json

//Define Auth Endpoint URL
url = 'https://api.intacct.con/identity/v2/oautha/token'

//Define Auth Parameters

auth params = {
	'grant_type': 'refresh_token',
	'refresh_token': 'your_refresh_token here',
	'client_id': 'your_client_id_here',
	'client secret': 'your_client secret here'
}

//Send Auth Request
response - requests.post(url, data=auth params)

//Parse Auth Response
response_json = json.loads(response. text)
access_token = response_json['access_token']
refresh_token = response_json['refresh_token']

This code uses the Python Requests library to authenticate with Sage Intacct API by sending a request with a refresh token, client ID, and client secret. Then you will receive new access and refresh tokens for subsequent API requests.

Here is an example response you will get.

{
"access_token":
"eyJhbGc101JSUZUXMITSImtpZCT6T ZIM tpY 2F ZMWpUS I hF eENNbAJVZE1Fa8dLAFBAYNZ JemRVY1YyM
GS9Tn8. ey.JqdGki01 13MzJaNJM2N1OXY JKSLTRINJCtY JRIOCT IMDQYN2QWOTUINZALLCIPYXQIOJEZMIA
2NJQ200CS InV4CCT6MTYyMDY20DT4NywiaXNzT §01b3B1bnF tLmFwaSTSIANTY4I6T§QONCISInF12CT6T
WFwaSTSIANVbNRy YWNBT j01ZnVsbFOhY2NvAWSET iwi c2NvcGVZT 301 VMN jb3VudDpydyBhY2NvdNS80nd
'YaXRLIENVbNRYYWNGORF jdG1vbiJ9. JbBh11Q_2px9P-JquUEhGkU6JnKUJKZSPBS-pn1vCDYeUXCtSPS
K9e7p--bLy_SR7Cn1k~117VIMQOKWFpagVwxq3A629XBgZnx6Lm6 rgfUSCKYUG16mem_982hI-q-PapvV.
HKZIXINKp13JD1CyEZvF_nH-nEMGrhCpIVi1xOxvZEWd_GAIQQLbVY6SSmCDYUSHS KK 1hLeBBOr2JS-F
8¢_VzXeX_Yq3hDswi JVCTy48Ged6Uf 82KKTVMVDCYNINBOXUZGHRL  1VUSWSUBKR JK11rVw2CnZcSBgz8K
X9TPGMyq3n@DaxghAVZBKVUINMPEJGBfKKS6A"

"scopes": "full _access:read Contact:action"

"token_type": "bearer"

"expires_in": 300

"refresh_token" : 
"eyJhbGc101JSUZUXHI TS TmtpZCT6T SZ1M2tpY2F ZMNpUS hF eEhNbNJVZB1F aBdLAFBAYWZ JemRvY 1YyM
65910. eyJqdGk101JK0GQ40DINZ11hY J FALTQ2YTgEYTC2MCThMZMIM VIZ] 1kMIUILCIpYXQIOFEZMIA
2NjQ20TQSImVACCI6MTYyMDY200MANCWi aXNZ101b3B1baF tLnFwaSTSINN1YI61QONCISIm"

"refresh token expires in": 86400

"requested by id": "1234567890"

}

2. Revoked or Invalid Access token

This indicates that the access token is no longer valid or has been terminated by the API service. This can happen for various reasons, such as the user revoking access, the token expiring, or the user changing their password. When an application attempts to use an invalid or revoked access token, it will typically receive an error message, such as "Invalid Access Token" or "Revoked Access Token," indicating that it is unable to carry out the requested action.

Resolutions for the "Invalid or Revoked Access Token" error

If the error is due to an invalid or revoked access token, you must follow the same steps as for a token that has expired (above) to obtain a new one.

3. Invalid Credentials

Invalid credentials typically refer to incorrect or expired authentication credentials used to obtain an access token. This could include an incorrect username or password, an expired authorization code or refresh token, or an incorrect client id or client secret. Invalid credentials will result in a failed authentication attempt and the inability to obtain a valid access token, which will prevent the user from accessing protected resources or making API calls.

Resolutions for the "Invalid Credentials"

Verify that the client ID and secret you are using are accurate by consulting the Sage Intacct Developer Console. If not, reset your password or get help from Sage Intacct customer support.

4. Insufficient permissions

Insufficient permissions refer to the situation where the user or application trying to access a particular resource or perform a specific action doesn't have the necessary permissions to do so. This could be because the user doesn't have the required role or permission level, or because the application wasn't authorized to perform the action.

The type of permissions required in Sage Intacct depends on what you're trying to do. Common types of permissions include role-based, object-based, action-based, and company-based permissions. To access the API Endpoints such as the access token endpoint, the application must be authorized by an administrator and have the appropriate permissions assigned to it. If a user is not sure of which permissions are required, they can check the software's documentation or speak with an administrator.

Resolutions for the "Insufficient permissions"

Ensure that the user associated with the access token has the necessary permissions to perform the desired action. If they do not have the required permissions, you may need to adjust their role or permission level or seek assistance from Sage Intacct support.

Fully managed Sage Intacct auth

If you want to avoid dealing with auth errors again while building a native Sage (or any other) integration for your app, try out Paragon.

Access/refresh token management is handled by Paragon's authentication layer for any 3rd party SaaS integration you need to build, so you can focus on implementing your integration logic instead of fixing errors such as the Sage 401 Unauthorized error.

With a single paragon.connect('sage-intacct'); call, the Paragon SDK will handle the entire authorization flow and refreshes tokens on behalf of your customers.