Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Forge {“code”:401,”message”:”Unauthorized; scope does not match”}

Fatima AALLA
Contributor
June 30, 2026

I have tested to create a Rovo agent using forge, the agent role is to fetch ccounts in JSM, and return the users haven’t loged in in last 180days, to help admin for users review, but it fails to fetch the API:

I get this error:

ERROR 2026-06-28T23:46:29.594Z ec49ff6a-940d-49f5-9de5-b8a248e152ba Error: {“code”:401,“message”:“Unauthorized; scope does not match”}
at Object.getGroupMembersFull (webpack://users-review/src/index.js:21:13)

I have tried both const res = await api.asUser() and const res = await api.asApp() but always same error, could you help me to investigate the issue, for information I’m an ORG administrator.

Manifest.yml:

modules:
action:
- key: get-group-members-full
name: Get Full Group Membership
description: Retrieves all users in a group with their details
function: getGroupMembersFull
actionVerb: GET
inputs:
groupId:
title: Group ID
type: string
description: Atlassian Admin Directory Group ID
rovo:agent:
- key: users-review-agent
name: Users Review
description: Reviews group membership and inactive users
prompt: >
You help administrators review Atlassian group membership.
Ask for a Group ID if not provided.
Use get-group-members-full action and show all returned users.
conversationStarters:
- Show group members
- Find inactive users
actions:
- get-group-members-full
function:
- key: getGroupMembersFull
handler: index.getGroupMembersFull
app:
id: ari:cloud:ecosystem::app/1dfefea2-e33d-48c7-af0d-0d73816e08fa
runtime:
name: nodejs24.x
memoryMB: 256
architecture: arm64
permissions:
scopes:
- read:jira-user
- read:group:jira
external:
fetch:
backend:
- api.atlassian.com

Index.js

import api, { route } from '@forge/api';
const GROUP_ID = the_id_of_the_group;
export async function getGroupMembersFull() {
let users = [];
// Always start with a SAFE route object
let nextUrl = route`/rest/api/2/group/member?groupId=${GROUP_ID}`;
while (nextUrl) {
// ALWAYS pass route object directly here
const res = await api.asApp().requestJira(nextUrl, {
headers: {
Accept: 'application/json'
}
});
if (!res.ok) {
throw new Error(await res.text());
}
const data = await res.json();
users.push(...(data.values || []));
// Pagination
if (data.isLast === false && data.nextPage) {
// Convert absolute URL → safe route again
const next = new URL(data.nextPage);
nextUrl = route`${next.pathname}${next.search}`;
} else {
nextUrl = null;
}
}
return {
groupId: GROUP_ID,
total: users.length,
users
};
}

can you help me resolve the permission issue and add the 180days review

thank you in advance for your support.

1 answer

1 vote
Ben Kelley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 30, 2026

According to the docs https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-groups/#api-rest-api-3-group-member-get the scopes you need for this endpoint are:

read:group:jira

read:user:jira

read:avatar:jira

You only have read:group:jira.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
PERMISSIONS LEVEL
Product Admin Site Admin
TAGS
AUG Leaders

Atlassian Community Events