Solving Access Denied errors

One of the most common errors that Developers run into when first starting to work with the AccountRight API looks something like this:

[
 {
 "Message": "Access denied"
 }
]

or 

The remote server returned an error: (401) Unauthorized

Access Denied:

`Acces denied` errors will always come down to one of two things;

• The `cftoken` header is missing from the request.
• The wrong details are being passed in the `cftoken`.

The data that is passed in the `cftoken` header relates to the company file sign-in details for the AccountRight file that you are trying to connect to. This is the username and password not the email address and password. 

These details that are passed in the CFtoken header need to be base64 encoded. For example with our sandbox files, the username and password is `APIDeveloper: (blank password)` which is passed as `x-myobapi-cftoken: QVBJRGV2ZWxvcGVyOg==`

If you are not sure of the company file sign-in details that you should be passing in the `cftoken`, you will need to talk to the client that sent you the invite.

401 Unauthorised:

We find the main reason that would break the connection and cause the error `401 unauthorized` is if the client has enabled SSO (Single sign-on). When the client enables SSO this means they only need to log into the AccountRight file using their my.myob email and password and the username and password is now linked and NOT required.

From an API point of view, if the client enabled SSO we no longer need to pass the `x-myobapi-cftoken` header.

By default when an AccountRight Online file is created this will come with the default username and password of `Administrator: (no password)`. When a user logs into this online file they would first be prompted for their My.MYOB login which is their email and password and then the company file User I.D and password which is Administrator: (no password). The username and password is what gets passed in the `x-myobapi-cftoken` header.

The first way to test this is to remove the `CFtoken` header and completed a request, if this is successful then single sign-on has been enabled. 

The second way we can test this if removing the `CFtoken` header is not an option is:

1. Choose the file you're connecting to
2. Attempt to GET/CurrentUser endpoint.

If you get a permission error then prompt the user for their `cftoken` credentials.

Returning Null:

If the result `null` is returned when completing a GET request to the API, this indicates that the email address you have completed Oauth with has not been invited to the company file as a user. You will need to reach out to the Administrator of the company file to confirm your user access.