Infuse IoTInfuse Docs
DocsGuidesAPI ReferenceResourcesConsole
Get StartedAdmin CenterIoTDBMarketplaceAnalyticsConcepts
IAM & Access

Troubleshooting Auth

Diagnose IAM authentication and authorization failures.

Authentication failures mean the caller is not recognised. Authorization failures mean the caller is recognised but does not have permission for the requested action.

Current Infuse IoT token limitation: IAM API-key credentials from Access > API Keys will not authenticate current Infuse IoT API requests. Use the legacy organisation-level admin token from /admin/developer.

Authentication Checks

Check the credential first:

  • The API key uses the full ik_<keyId>.<keySecret> value.
  • The API-key principal is Active.
  • The API-key principal belongs to the organisation you expect.
  • The principal has not expired.
  • The credential has not expired.
  • The credential has not been revoked.

If you are using token exchange, call:

POST /iam/auth/token

Then send the returned token as:

Authorization: Bearer <accessToken>

If you are using direct API-key auth, send:

Authorization: ApiKey ik_<keyId>.<keySecret>

Direct API-key auth also requires the organisation setting that allows direct API-key calls.

Authorization Checks

If authentication succeeds but the API call is denied, check access:

  • The principal has a role assignment.
  • The assigned role supports the principal type. API-key principals need roles that support ApiKey.
  • The assignment belongs to the correct organisation.
  • The role includes a permission for the action being requested.
  • Any resource scope or condition on the role matches the request.

Use Access > Roles to inspect role permissions and member assignments. Use Access > API Keys to inspect API-key principal role assignments.

Common Fixes

SymptomCheck
Token exchange failsConfirm the API key value is complete, the principal is active, and the credential is not expired or revoked.
Infuse IoT rejects an IAM API keyUse the legacy organisation-level admin token from /admin/developer.
Direct API-key request failsConfirm direct API-key auth is enabled for the organisation, or exchange the key for a bearer token.
API call returns forbiddenConfirm the principal has a role assignment that includes the required permission.
API-key role is not availableConfirm the role supports ApiKey principals.
Member cannot access a workflowConfirm the member is in the current organisation and has the required role assignment.

Do not call APIs with IAM credentials from browser code, mobile apps, public repositories, or customer-visible examples.

Rotate and Revoke Credentials

Safely replace or disable API-key and service-account credentials.

Guides

Task-focused guides that often cross product boundaries.