sendgrid error "Access forbidden" when trying to GET user profile API

Legacy API doesn't work. Use new API

I don't know if it resolve to someone, but I tried to add a contact to sendgrid using this doc getting {"errors":[{"field":null,"message":"access forbidden"}]}:

https://sendgrid.com/docs/API_Reference/Web_API_v3/Marketing_Campaigns/contactdb.html#Add-Single-Recipient-POST

POST POST https://api.sendgrid.com/v3/contactdb/recipients HTTP/1.1

After search a bit more I noted a new documentation (same version API v3) but with very different API methods:

https://sendgrid.api-docs.io/v3.0/contacts/add-or-update-a-contact

PUT https://api.sendgrid.com/v3/marketing/contacts

This error is also caused due to insufficient permissions for api key.

https://sendgrid.com/docs/API_Reference/Web_API_v3/API_Keys/api_key_permissions_list.html#User-Settings

In order to use with api key just :

Go to Settings > Api keys > Edit Api Key > User Account

Viola! works like a charm with API Key as Auth.

curl --request GET \
 --url https://api.sendgrid.com/v3/user/profile \
 --header 'Authorization: Bearer API KEY'\
 --header 'Content-Type: application/json'

Hope this helps :)

I dug into this and tried various things out myself.

You can't set the permissions for this to work via the website UI. You must make API calls to set the permission.

https://sendgrid.com/docs/API_Reference/Web_API_v3/API_Keys/api_key_permissions_list.html#User-Settings shows a list of all the possible permissions/scopes for user settings.

https://sendgrid.com/docs/API_Reference/Web_API_v3/API_Keys/index.html#Update-the-name-amp-scopes-of-an-API-Key-PUT explains how to add scopes to your API Key.

ADDED: So this is more convoluted than that. You can't use an API Key to modify an API Key unless that key already has permissions/scope to "api_keys.update". This means you find yourself in a catch 22. Instead of using the "Authroization: Bearer {API_KEY}" authorization header you need to make the first call to update an API Key to have that scope using a basic authorization header like "Authorization: Basic {base64Encoded("username:password")}". Quite convoluted and a pain to deal with right now. Sounds like they are coming out with an updated UI hopefully in a few weeks so we all can avoid this little catch 22 in the future.