How do OAuth 1 permissions work in the API?
AWeber's API has several OAuth 1 permission settings available in order to help protect the privacy of our customers and their subscribers. There is one set of permissions enabled by default and two that must be explicitly granted by the customer during authorization.
These permissions are exclusive, not inclusive. So if you have the manage email permission enabled you will not automatically receive the subscriber data permission as well.
You can have your integration request the extra permissions by changing a setting in your developer account.
Note that permissions are set at the time you create a request token (when you start the OAuth 1 authorization process for a new user). If you change permissions after you have gone through the OAuth 1 process you will need to have the user reauthorize your integration to obtain new access tokens. The original tokens will continue to work at the level of permissions that were set when the customer first authorized and anything above those permissions will return a 404 Forbidden Error.
Types of Permissions
There are three types of permissions you can have. All integrations start with the default permissions, and the subscriber data and manage email permissions must be enabled before you can use them.
Default Permissions:
All integrations have these permissions, and they cannot be revoked. These are the abilities granted by the default permissions:
- Access lists, messages, campaigns
- Create, update, delete and move subscribers in lists
- Create, update and delete custom fields in lists
- Access subscriber data, except for the name, email, IP address, and notes fields
Subscriber Data:
This is one of the permissions that must be enabled in your developer account and explicitly granted by the customer. It gives access to some further detail about subscribers, including these abilities:
- Access to the name, email, IP address, and notes fields
- Use the find method to search for subscribers using search parameters such as name, email, status, city, country, custom fields, etc.
- When viewing broadcast stats, allows access to the top 10 subscribers by opens and gross sales
Manage Email:
This is one of the permissions that must be enabled in your developer account and explicitly granted by the customer. It allows the integration to handle email on the customer's behalf with the following abilities:
- Create broadcast messages
- Schedule broadcast messages
Looking for OAuth 2?
If you have an OAuth 2 integration, the permissions are added at the time of authorization based on the scopes you choose. If you need help authenticating see our guide to OAuth 2.