Oauth2 bearer token: Unauthorized: scope does not match

JustinIsrael · May 18, 2025, 11:12pm

I have created a new test OAuth2 application in our cloud developer console. No matter what combination of rest requests I set, I end up with “Unauthorized; scope does not match” when trying to make a request.

My app has been reduced to just a singular granular scope: “read:page:confluence”

I have a bearer access_token from an external OAuth2 flow. And with it, I try to perform the following rest request:

curl \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    -XGET \
    https://api.atlassian.com/ex/jira/${CLOUD_ID}/wiki/api/v2/pages/${PAGE_ID}

which returns:

{"code":401,"message":"Unauthorized; scope does not match"}

Are there any tips on how to debug this?
I can confirm that when I curl https://api.atlassian.com/oauth/token/accessible-resource, I get the expected cloud id reporting the single granular scope.

This entire process started out with using the atlassian-python-api library, but I have removed that from the factors to try and replicate the raw rest request.

nathanwaters · May 18, 2025, 11:44pm

Perhaps: https://api.atlassian.com/ex/confluence/${CLOUD_ID}/wiki/api/v2/pages/${PAGE_ID}

JustinIsrael · May 19, 2025, 9:24pm

Wow. Ok, I swear I tried this variation before and got a response saying it was a deprecated endpoint. Now it seems to be working! I’m not going to argue with results. I must have done something slightly different when it didn’t work.

JustinIsrael · May 19, 2025, 9:46pm

Ok I spoke too soon and I think I am still confused on the correct assignment of scopes to the Application. So the previous solution works fine if I only use a granular scope “read:page:confluence”. When I try to use the classic scopes, I end up getting the error that the scopes don’t match. Is there a compatibility issue between api version urls and the scope types?