403 Forbidden error when using SCAPI for B2C Commerce

The 403 Forbidden error occurs when the scopes for the SCAPI endpoints being used are not correctly defined. These should be checked to see if the view only or read/write scope is needed. For example:

sfcc.promotions - View promotions
sfcc.promotions.rw - Create, update, or delete promotions

If only view access is provided in the scope, any attempt to update the resource will result in the 403 error. More information about how this affects the APIs is below:

1. When this occurs for Admin APIs, please check the scope in the following places.
   1. Scopes in API Client in Account Manager: Navigate to Account Manger > API Client, select the client ID and review the scopes added.
   2. Scopes in /access_token request: For Admin API, the scopes of the endpoints which need to be used in subsequent requests must be added in the request body of /access_token request. When the scopes added in this initial step are incorrect, the subsequent requests will fail with the 403 Forbidden error.
      
      

2. When this occurs for the Shopper APIs, the scopes set for the Shopper Login and API Access Service (SLAS) client also needs to be reviewed. This can be checked in the SLAS Admin UI which can be accessed via https://{{short-code}}.api.commercecloud.salesforce.com/shopper/auth-admin/v1/ui/.

   Note: {{short-code}} in the URL above needs to be updated with the value corresponding to your instance.