403 "Insufficient Scope" Error with Blackbaud SKY API—Token Lacks Data Access Despite Full App Configuration

Hayden Riebe

Hi everyone,

I’m encountering a 403 Forbidden error when attempting to fetch data from the Blackbaud SKY API using a server‑based OAuth flow in my Tableau Web Data Connector (WDC) for Raiser's Edge NXT. Despite my application now being configured for full data access in the Blackbaud developer portal and using the scopes “rnxt.w rnxt.r” in my OAuth request, the access token I receive appears to have “no data access.” Here’s some context on my setup:

Environment & Setup:

• Application: A custom Tableau WDC for Raiser's Edge NXT.
• OAuth Flow: Server‑side (authorization code grant) using Node.js and Express.
• Endpoints:
  • Authorization Endpoint: https://oauth2.sky.blackbaud.com/authorization
  • Token Exchange Endpoint: https://oauth2.sky.blackbaud.com/token
  • API Endpoint for Data: https://api.sky.blackbaud.com/constituent/v1/constituents?$top=10
• Configuration:
  • My OAuth request URL includes the scopes rnxt.w rnxt.r (encoded correctly)
  • My application in the Blackbaud developer portal was originally set to “No access mode” but I have updated it to full data access and made this change last Friday.
  • I have verified that the redirect URI is set to http://localhost:3333/redirect in the developer portal.
• Implementation Details:
  • My Node/Express server stores the access token in memory (a global variable) upon successful token exchange.
  • A /status route confirms whether authentication is complete, and a /getConstituents route calls the SKY API using the stored token and my subscription key.
  • I’ve logged the OAuth URL and verified that the token is updated when re-authenticating, but when I call /getConstituents, I receive the following errors in my server logs:

This is the logged server error message:

{"title":"Forbidden","status":403,"detail":"This application has insufficient scope to perform the operation. The access token used in this request has no data access. This application's scopes configuration is either set to \\"No access mode\\" or the Blackbaud Environment Admin has not yet approved the application's updated access configuration. Learn more: https://developer.blackbaud.com/skyapi/docs/applications/scopes"}

Issue: Even after updating my app settings to full access, the access token returned by Blackbaud still seems to have “no data access.” My OAuth URL is built as follows:

https://oauth2.sky.blackbaud.com/authorization?response_type=code&client_id=[CLIENT_ID]&redirect_uri=[REDIRECT_URI]&scope=rnxt.w%20rnxt.r

I’ve triple‑checked that:

• The OAuth URL is correctly formatted (scopes properly URL‑encoded).
• The client ID, client secret, and redirect URI exactly match the values registered in my Blackbaud developer portal.
• My application’s configuration in Blackbaud now has full data access.

Questions:

1. Has anyone encountered an issue where, even after updating the app configuration and using the correct scopes, the returned access token still lacks data access?
2. Are there any additional parameters or troubleshooting steps I should check to ensure that the token is issued with the correct scopes and permissions?
3. Is there a known delay or additional approval step required on Blackbaud’s side after updating an app’s access configuration?

Any insight or suggestions would be greatly appreciated!

Thanks, Hayden Riebe

University of Alaska Foundation

Chris Rodgers

Hey @Hayden Riebe, I appreciate the very detailed explanation of your issue.

I believe the primary issue here is explained by the error message you received in your API response:

This application's scopes configuration is either set to \\"No access mode\\" or the Blackbaud Environment Admin has not yet approved the application's updated access configuration. Learn more: https://developer.blackbaud.com/skyapi/docs/applications/scopes"

As this points out (as well as the “Changing scopes” documentation), we require Marketplace admins to approve of scope changes when they occur after the application has been Connected. We do this so the application cannot automatically granted access beyond the comfort level of the environment admin. Once the admin approves your scope change, your application should have the access it needs.

Looking at your developer account, it appears that you may be able to resolve this yourself by going to the Manage Page in the Marketplace and approving your scope changes: https://app.blackbaud.com/marketplace/manage. I know this feels like extra red tape since you're acting as both the application developer and Marketplace admin, but we don't want applications to gain additional access to the product without an administrator's consent.

A couple extra notes: Scopes are tied to the Marketplace Connection, and currently (as of 2/25/2025), `scope` is ignored on the OAuth authorization request. The admin-approved scopes are evaluated when an access token is returned from the OAuth 2.0 authorization server, so your application will need to obtain a new access token to gain the additional access that it is requesting. Your application does not need your users to re-authorize the application; the application can simply exchange its refresh token for a new access token.

Edit: I am following up with our team to update the Edit Application Scopes form to include messaging about that admin change approval.

Hayden Riebe

Thanks, @Chris Rodgers, this immediately fixed my issue and I now have a connection to the SKY API within Tableau Desktop. Much appreciated!